Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you treat a variable value as another f...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
derekho55
Explorer
01-10-2019
09:11 AM
I have a field named "object_XXX_property", where XXX string is dynamically generated and is held in another field named "entity". I want to get at the object property field and have it on a table. I figured that I probably need an intermediate variable to handle the dynamically generated field name:
<code>base search | eval cn="objects_".entity."_property"|.. </code>
How can I get my cn variable to display the value of the object_property field with Splunk?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
01-11-2019
10:36 AM
Like this:
| makeresults
| eval entity = "foo"
| eval object_foo_property = "correct"
| eval object_bar_property = "wrong"
| eval object_bat_property = "wrong"
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| eval cn="NO_MATCH"
| foreach object_*_property [ eval cn=if((entity="<<MATCHSTR>>"), <<FIELD>>, cn) ]
Do note that this also "works" but apparently is not what you desire (because it is the inverse):
| makeresults
| eval entity = "foo"
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| eval object_{entity}_property = "bar"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
01-11-2019
10:38 AM
Now that I "get it", this is a GREAT question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
01-11-2019
10:36 AM
Like this:
| makeresults
| eval entity = "foo"
| eval object_foo_property = "correct"
| eval object_bar_property = "wrong"
| eval object_bat_property = "wrong"
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| eval cn="NO_MATCH"
| foreach object_*_property [ eval cn=if((entity="<<MATCHSTR>>"), <<FIELD>>, cn) ]
Do note that this also "works" but apparently is not what you desire (because it is the inverse):
| makeresults
| eval entity = "foo"
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| eval object_{entity}_property = "bar"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
derekho55
Explorer
01-11-2019
01:49 PM
thank you very much. This was what I was looking for. Got my query with some minor modifications on this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
01-11-2019
03:34 PM
It always looks so easy when you see the trick.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
01-11-2019
02:10 PM
It was a fun problem to solve.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
01-10-2019
07:07 PM
base search | eval object_{entity}_property="your value"
This will create field names with object_abc_property,object_xyz_property etc where abc & xyz are your entity values
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
derekho55
Explorer
01-11-2019
09:46 AM
Thanks for your response. I don't want to create a field named object_{entity}_property; it already exists as a field with a value in it that I want to extract.
I've been trying with
| eval cn = object_{entity}_property| table cn but it wont work.
Straight up base search |table object_{entity}_property didn't work either.
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
