Splunk Search

How do you apply a formula from another field to eval its value?

Path Finder


I basically want to eval a result-field based on the formula contained in another field. The formula in the other field references fields containing the actual values. E.g. input table is like this (The "Niederdruck" field contains the actual formula for each equipment):

equipment, a001, a002, a006, a101, Niederdruck
1005, 6, 7, 8, 5, (a002-3)/10
1006, 8, 9, 10, 11, (a002-4)/10
1007, 14, 15, 16, 17, (a002-6)/10

So, for the first equipment, 1005, I want to have myresult field value = (a002-3)/10 = (7-3)/10 = 0.4
For the 2nd row, equipment, 1006, I want to have myresult value = (a002-4)/10 = (9-4)/10 = 0.5
And the 3rd one, equipment 1007, the myresult should be = (a002-6)/10 = (15-6)/10 = 0.9

It should be something simple like:

eval myresult = *evaluate the function contained in* Niederdruck

Maybe I only need to use a right "escape character" around Niederdruck, but I am struggling.

Hope there is an easy solution!


Tags (2)
0 Karma

Path Finder

thanks, almost there... is there a way to avoid having the input fields (e.g. a001, a002, a006, ...) as "static" texts inside this formula snipplet:

eval a001=$a001$, a002=$a002$, a006=$a006$, a101=$a101$, equipment=$equipment$, myresult=[|makeresults|eval myresult=$Niederdruck$|return $myresult]"

Reason is: in reality, there are around 60 of them (and they already contain the values to be shown!), and the end-user can select which of them to display, along with the formula in a timechart later... I basically only want to add the column "myresult" to the existing "input table"...

Best Regards

0 Karma

Esteemed Legend

There are 2 templating capabilities in splunk: map and subsearch. You can use them together to solve your situation like this:

|makeresults | eval raw="1005, 6, 7, 8, 5, (a002-3)/10:::1006, 8, 9, 10, 11, (a002-4)/10:::1007, 14, 15, 16, 17, (a002-6)/10"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| rex "^(?<equipment>[^,]+),\s*(?<a001>[^,]+),\s*(?<a002>[^,]+),\s*(?<a006>[^,]+),\s*(?<a101>[^,]+),\s*(?<Niederdruck>[^,]+)$"

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| map max_matches=99 search="|makeresults| eval a001=$a001$, a002=$a002$, a006=$a006$, a101=$a101$, equipment=$equipment$, myresult=[|makeresults|eval myresult=$Niederdruck$|return $myresult]"
0 Karma

Esteemed Legend

You can execute the RegEx value of any field against the string value of another field like this: | eval WoodcockMagic = replace(fieldnameSourceString, fieldnameRegExString, fieldnameReplacementString). Almost nobody knows that you can pass in EITHER string literals OR field names to eval's replace function!!!!!

0 Karma


Hello @flopit,

There is no easy solution as far as I know.
I found a similar question on SplunkAnswer here: How to convert my lookup field value to an executable formula?
However, I can't see that working in your case.

I suggest you configure an external lookup. This way, you pass all parameters including the formula to an script (you can choose the programming language) and the script will calculate and return the result to Splunk.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!