Splunk Search

How do you store multiple similar field names as values in a new field?

mpatel11
Explorer

I have multiple fields with similar names abc*, example:
abcXYZ1
abcKLM
abc_DEF

I want to create a new field, say 'EVENT' which will have values as abc* field names. So, values of 'EVENT' = abcXYZ1, abcKLM and abc_DEF

1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@mpatel11

Can you please try this?

YOUR_SEARCH   | foreach abc* [ eval EVENT=if(isnull(EVENT),"<<FIELD>>",EVENT.","."<<FIELD>>") ]

My Sample Search:

|makeresults |  eval abcXYZ1="AAA",
abcKLM="BBB",
abc_DEF="CCC" | foreach abc* [ eval EVENT=if(isnull(EVENT),"<<FIELD>>",EVENT.","."<<FIELD>>") ]

Updated Answer:

   YOUR_SEARCH | foreach abc* 
    [ eval EVENT = case(isnull(EVENT) AND isnotnull(<<FIELD>>),"<<FIELD>>",isnotnull(EVENT) AND isnotnull(<<FIELD>>),EVENT.","."<<FIELD>>",1=1,EVENT)]

Sample Search

| makeresults 
| eval abcXYZ1="AAA",
    abcKLM="BBB",
    abc_DEF="CCC" 
| append 
    [| makeresults 
    | eval abcXYZ1="AAA",
        abcXYZ="BBB",
        abc_DEF1="CCC" ] 
| append 
    [| makeresults 
    | eval abcXYZ1="AAA",
        abcXYZ2="BBB",
        abc_DEF2="CCC" ] 
| foreach abc* 
    [ eval EVENT = case(isnull(EVENT) AND isnotnull(<<FIELD>>),"<<FIELD>>",isnotnull(EVENT) AND isnotnull(<<FIELD>>),EVENT.","."<<FIELD>>",1=1,EVENT)]

Thanks

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@mpatel11

Can you please try this?

YOUR_SEARCH   | foreach abc* [ eval EVENT=if(isnull(EVENT),"<<FIELD>>",EVENT.","."<<FIELD>>") ]

My Sample Search:

|makeresults |  eval abcXYZ1="AAA",
abcKLM="BBB",
abc_DEF="CCC" | foreach abc* [ eval EVENT=if(isnull(EVENT),"<<FIELD>>",EVENT.","."<<FIELD>>") ]

Updated Answer:

   YOUR_SEARCH | foreach abc* 
    [ eval EVENT = case(isnull(EVENT) AND isnotnull(<<FIELD>>),"<<FIELD>>",isnotnull(EVENT) AND isnotnull(<<FIELD>>),EVENT.","."<<FIELD>>",1=1,EVENT)]

Sample Search

| makeresults 
| eval abcXYZ1="AAA",
    abcKLM="BBB",
    abc_DEF="CCC" 
| append 
    [| makeresults 
    | eval abcXYZ1="AAA",
        abcXYZ="BBB",
        abc_DEF1="CCC" ] 
| append 
    [| makeresults 
    | eval abcXYZ1="AAA",
        abcXYZ2="BBB",
        abc_DEF2="CCC" ] 
| foreach abc* 
    [ eval EVENT = case(isnull(EVENT) AND isnotnull(<<FIELD>>),"<<FIELD>>",isnotnull(EVENT) AND isnotnull(<<FIELD>>),EVENT.","."<<FIELD>>",1=1,EVENT)]

Thanks

mpatel11
Explorer

This works exactly as requested. Thanks.

I would actually like to enhance on the question.
Say I have 100 rows of logs.
some have only Field abcXYZ1 and not the other 2, some have field abcKLM and not the other 2 and so on...
so occurrence of fields abc* is mutually exclusive.

Now based on this, want to add another field EVENT which will look if that log has field abcXYZ1 then value of EVENT = abcXYZ1, if a log has field abcKLM then EVENT=abcKLM and so on...

So looking at a log and finding which type of field it has based on abc*, only that fields name will be stored as value in the new field EVENT.

Hope it is clear to understand.

0 Karma

mpatel11
Explorer

never mind, I'll post this as a separate question. Thanks for the help Kamlesh.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@mpatel11

Apology for the late reply. Please check my updated answer.

0 Karma

mpatel11
Explorer

Updates answer also works like a charm. Thanks for the help..

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Gald to help you mpatel.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...