Splunk Search

## How do you apply a formula from another field to eval its value?

Path Finder

Hi,

I basically want to eval a result-field based on the formula contained in another field. The formula in the other field references fields containing the actual values. E.g. input table is like this (The "Niederdruck" field contains the actual formula for each equipment):

``````equipment, a001, a002, a006, a101, Niederdruck
1005, 6, 7, 8, 5, (a002-3)/10
1006, 8, 9, 10, 11, (a002-4)/10
1007, 14, 15, 16, 17, (a002-6)/10
``````

So, for the first equipment, 1005, I want to have myresult field value = (a002-3)/10 = (7-3)/10 = 0.4
For the 2nd row, equipment, 1006, I want to have myresult value = (a002-4)/10 = (9-4)/10 = 0.5
And the 3rd one, equipment 1007, the myresult should be = (a002-6)/10 = (15-6)/10 = 0.9

It should be something simple like:

``````eval myresult = *evaluate the function contained in* Niederdruck
``````

Maybe I only need to use a right "escape character" around Niederdruck, but I am struggling.

Hope there is an easy solution!

Best

Tags (2)
Path Finder

Hi,
thanks, almost there... is there a way to avoid having the input fields (e.g. a001, a002, a006, ...) as "static" texts inside this formula snipplet:

eval a001=\$a001\$, a002=\$a002\$, a006=\$a006\$, a101=\$a101\$, equipment=\$equipment\$, myresult=[|makeresults|eval myresult=\$Niederdruck\$|return \$myresult]"

Reason is: in reality, there are around 60 of them (and they already contain the values to be shown!), and the end-user can select which of them to display, along with the formula in a timechart later... I basically only want to add the column "myresult" to the existing "input table"...

Thanks!
Best Regards

Esteemed Legend

There are 2 `templating` capabilities in splunk: `map` and `subsearch`. You can use them together to solve your situation like this:

``````|makeresults | eval raw="1005, 6, 7, 8, 5, (a002-3)/10:::1006, 8, 9, 10, 11, (a002-4)/10:::1007, 14, 15, 16, 17, (a002-6)/10"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<equipment>[^,]+),\s*(?<a001>[^,]+),\s*(?<a002>[^,]+),\s*(?<a006>[^,]+),\s*(?<a101>[^,]+),\s*(?<Niederdruck>[^,]+)\$"

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| map max_matches=99 search="|makeresults| eval a001=\$a001\$, a002=\$a002\$, a006=\$a006\$, a101=\$a101\$, equipment=\$equipment\$, myresult=[|makeresults|eval myresult=\$Niederdruck\$|return \$myresult]"
``````
Esteemed Legend

You can execute the `RegEx` value of any field against the string value of another field like this: `| eval WoodcockMagic = replace(fieldnameSourceString, fieldnameRegExString, fieldnameReplacementString)`. Almost nobody knows that you can pass in EITHER string literals OR field names to eval's `replace` function!!!!!

Motivator

Hello @flopit,

There is no easy solution as far as I know.
I found a similar question on SplunkAnswer here: How to convert my lookup field value to an executable formula?
However, I can't see that working in your case.

I suggest you configure an external lookup. This way, you pass all parameters including the formula to an script (you can choose the programming language) and the script will calculate and return the result to Splunk.

.conf21 CFS Extended through 5/20!

### Don't miss your chance to share your Splunk wisdom in-person or virtually at .conf21!Call for Speakers hasbeen extended throughThursday, 5/20! Submit Now! >

Get Updates on the Splunk Community!