Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to access a field name using variable ?

sagrl
Explorer
‎08-28-2017 06:32 AM

My Splunk results are returning multiple fields including fields Sunday, Monday, Tuesday .... Saturday.

Now my requirement is if today is Sunday i want to access the value of field name Sunday, if today is Monday i need to access the value of Monday and so on..

Can someone help me in how to access the value of a field using variable ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-28-2017 07:32 AM

Without seeing your query or expected output, my suggestion would be this (the subsearch would return the current weekday value and pass it on to table command.:

your search giving fields for each weekday
| table [| gentimes start=-1 | eval search=strftime(now(),"%A") | table search ]

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-10-2017 02:47 PM

I would do it like this:

| makeresults 
| eval date_wday=strftime(now(), "%A")
| map [search index="YouShouldAlwaysSpecifyAnIndex" sourcetype="AndSourcetypeToo" MyFieldName="$date_wday$"]
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-28-2017 07:35 AM

@sagrl, you can run a dummy search in your dashboard to get today's weekday as a token and then use the same in your other searches in the dashboard.

<search>
    <query>| makeresults
| eval weekDay=lower(strftime(_time,"%A"))
    </query>
    <progress>
       <set token="tokenWeekDay">$result.weekDay$</set>
    </progress>
</search>

Then use the token $tokenWeekDay$ in your other searches in the dashboard:

<single>
    <search>
        <query>| makeresults
    | eval tokenData="$tokenWeekDay$"
    | table tokenData
        </query>
    </search>
</single>

PS: I have changed the weekday to lower case using lower() function. In case your use case is to match this against Splunk's default extracted field date_wday, it should be lowercase. Result of strftime() time modifier%Awould result in Week Days like Sunday, Monday etc. As you have asked in your question. Hence, if you are search for same casing in weekday values, then you do not require lower() function, juststrftime()` should work.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-28-2017 07:32 AM

Without seeing your query or expected output, my suggestion would be this (the subsearch would return the current weekday value and pass it on to table command.:

your search giving fields for each weekday
| table [| gentimes start=-1 | eval search=strftime(now(),"%A") | table search ]
Reply
Get Updates on the Splunk Community!

The OpenTelemetry Certified Associate (OTCA) Exam

What’s this OTCA exam? The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...

From Manual to Agentic: Level Up Your SOC at Cisco Live

Welcome to the Era of the Agentic SOC   Are you tired of being a manual alert responder? The security ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...