Splunk Search

How do you treat a variable value as another field with Splunk?

derekho55
Explorer

I have a field named "object_XXX_property", where XXX string is dynamically generated and is held in another field named "entity". I want to get at the object property field and have it on a table. I figured that I probably need an intermediate variable to handle the dynamically generated field name:

<code>base search | eval cn="objects_".entity."_property"|.. </code>

How can I get my cn variable to display the value of the object_property field with Splunk?

Tags (1)
1 Solution

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval entity = "foo" 
| eval object_foo_property = "correct"
| eval object_bar_property = "wrong"
| eval object_bat_property = "wrong"

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval cn="NO_MATCH"
| foreach object_*_property [ eval cn=if((entity="<<MATCHSTR>>"), <<FIELD>>, cn) ]

Do note that this also "works" but apparently is not what you desire (because it is the inverse):

| makeresults 
| eval entity = "foo" 

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval object_{entity}_property = "bar"

View solution in original post

woodcock
Esteemed Legend

Now that I "get it", this is a GREAT question.

0 Karma

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval entity = "foo" 
| eval object_foo_property = "correct"
| eval object_bar_property = "wrong"
| eval object_bat_property = "wrong"

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval cn="NO_MATCH"
| foreach object_*_property [ eval cn=if((entity="<<MATCHSTR>>"), <<FIELD>>, cn) ]

Do note that this also "works" but apparently is not what you desire (because it is the inverse):

| makeresults 
| eval entity = "foo" 

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval object_{entity}_property = "bar"

derekho55
Explorer

thank you very much. This was what I was looking for. Got my query with some minor modifications on this.

woodcock
Esteemed Legend

It always looks so easy when you see the trick.

0 Karma

woodcock
Esteemed Legend

It was a fun problem to solve.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@derekho55 ,

base search | eval object_{entity}_property="your value"

This will create field names with object_abc_property,object_xyz_property etc where abc & xyz are your entity values

Happy Splunking!
0 Karma

derekho55
Explorer

Thanks for your response. I don't want to create a field named object_{entity}_property; it already exists as a field with a value in it that I want to extract.

I've been trying with

| eval cn = object_{entity}_property| table cn but it wont work.

Straight up base search |table object_{entity}_property didn't work either.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...