Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to access a field name using variable ?

sagrl
Explorer
‎08-28-2017 06:32 AM

My Splunk results are returning multiple fields including fields Sunday, Monday, Tuesday .... Saturday.

Now my requirement is if today is Sunday i want to access the value of field name Sunday, if today is Monday i need to access the value of Monday and so on..

Can someone help me in how to access the value of a field using variable ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-28-2017 07:32 AM

Without seeing your query or expected output, my suggestion would be this (the subsearch would return the current weekday value and pass it on to table command.:

your search giving fields for each weekday
| table [| gentimes start=-1 | eval search=strftime(now(),"%A") | table search ]

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-10-2017 02:47 PM

I would do it like this:

| makeresults 
| eval date_wday=strftime(now(), "%A")
| map [search index="YouShouldAlwaysSpecifyAnIndex" sourcetype="AndSourcetypeToo" MyFieldName="$date_wday$"]
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-28-2017 07:35 AM

@sagrl, you can run a dummy search in your dashboard to get today's weekday as a token and then use the same in your other searches in the dashboard.

<search>
    <query>| makeresults
| eval weekDay=lower(strftime(_time,"%A"))
    </query>
    <progress>
       <set token="tokenWeekDay">$result.weekDay$</set>
    </progress>
</search>

Then use the token $tokenWeekDay$ in your other searches in the dashboard:

<single>
    <search>
        <query>| makeresults
    | eval tokenData="$tokenWeekDay$"
    | table tokenData
        </query>
    </search>
</single>

PS: I have changed the weekday to lower case using lower() function. In case your use case is to match this against Splunk's default extracted field date_wday, it should be lowercase. Result of strftime() time modifier%Awould result in Week Days like Sunday, Monday etc. As you have asked in your question. Hence, if you are search for same casing in weekday values, then you do not require lower() function, juststrftime()` should work.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-28-2017 07:32 AM

Without seeing your query or expected output, my suggestion would be this (the subsearch would return the current weekday value and pass it on to table command.:

your search giving fields for each weekday
| table [| gentimes start=-1 | eval search=strftime(now(),"%A") | table search ]
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...