Splunk Search

How do you store multiple similar field names as values in a new field?

mpatel11
Explorer

I have multiple fields with similar names abc*, example:
abcXYZ1
abcKLM
abc_DEF

I want to create a new field, say 'EVENT' which will have values as abc* field names. So, values of 'EVENT' = abcXYZ1, abcKLM and abc_DEF

1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@mpatel11

Can you please try this?

YOUR_SEARCH   | foreach abc* [ eval EVENT=if(isnull(EVENT),"<<FIELD>>",EVENT.","."<<FIELD>>") ]

My Sample Search:

|makeresults |  eval abcXYZ1="AAA",
abcKLM="BBB",
abc_DEF="CCC" | foreach abc* [ eval EVENT=if(isnull(EVENT),"<<FIELD>>",EVENT.","."<<FIELD>>") ]

Updated Answer:

   YOUR_SEARCH | foreach abc* 
    [ eval EVENT = case(isnull(EVENT) AND isnotnull(<<FIELD>>),"<<FIELD>>",isnotnull(EVENT) AND isnotnull(<<FIELD>>),EVENT.","."<<FIELD>>",1=1,EVENT)]

Sample Search

| makeresults 
| eval abcXYZ1="AAA",
    abcKLM="BBB",
    abc_DEF="CCC" 
| append 
    [| makeresults 
    | eval abcXYZ1="AAA",
        abcXYZ="BBB",
        abc_DEF1="CCC" ] 
| append 
    [| makeresults 
    | eval abcXYZ1="AAA",
        abcXYZ2="BBB",
        abc_DEF2="CCC" ] 
| foreach abc* 
    [ eval EVENT = case(isnull(EVENT) AND isnotnull(<<FIELD>>),"<<FIELD>>",isnotnull(EVENT) AND isnotnull(<<FIELD>>),EVENT.","."<<FIELD>>",1=1,EVENT)]

Thanks

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@mpatel11

Can you please try this?

YOUR_SEARCH   | foreach abc* [ eval EVENT=if(isnull(EVENT),"<<FIELD>>",EVENT.","."<<FIELD>>") ]

My Sample Search:

|makeresults |  eval abcXYZ1="AAA",
abcKLM="BBB",
abc_DEF="CCC" | foreach abc* [ eval EVENT=if(isnull(EVENT),"<<FIELD>>",EVENT.","."<<FIELD>>") ]

Updated Answer:

   YOUR_SEARCH | foreach abc* 
    [ eval EVENT = case(isnull(EVENT) AND isnotnull(<<FIELD>>),"<<FIELD>>",isnotnull(EVENT) AND isnotnull(<<FIELD>>),EVENT.","."<<FIELD>>",1=1,EVENT)]

Sample Search

| makeresults 
| eval abcXYZ1="AAA",
    abcKLM="BBB",
    abc_DEF="CCC" 
| append 
    [| makeresults 
    | eval abcXYZ1="AAA",
        abcXYZ="BBB",
        abc_DEF1="CCC" ] 
| append 
    [| makeresults 
    | eval abcXYZ1="AAA",
        abcXYZ2="BBB",
        abc_DEF2="CCC" ] 
| foreach abc* 
    [ eval EVENT = case(isnull(EVENT) AND isnotnull(<<FIELD>>),"<<FIELD>>",isnotnull(EVENT) AND isnotnull(<<FIELD>>),EVENT.","."<<FIELD>>",1=1,EVENT)]

Thanks

mpatel11
Explorer

This works exactly as requested. Thanks.

I would actually like to enhance on the question.
Say I have 100 rows of logs.
some have only Field abcXYZ1 and not the other 2, some have field abcKLM and not the other 2 and so on...
so occurrence of fields abc* is mutually exclusive.

Now based on this, want to add another field EVENT which will look if that log has field abcXYZ1 then value of EVENT = abcXYZ1, if a log has field abcKLM then EVENT=abcKLM and so on...

So looking at a log and finding which type of field it has based on abc*, only that fields name will be stored as value in the new field EVENT.

Hope it is clear to understand.

0 Karma

mpatel11
Explorer

never mind, I'll post this as a separate question. Thanks for the help Kamlesh.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@mpatel11

Apology for the late reply. Please check my updated answer.

0 Karma

mpatel11
Explorer

Updates answer also works like a charm. Thanks for the help..

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Gald to help you mpatel.

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...