Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to access a field name using variable ?

sagrl
Explorer
‎08-28-2017 06:32 AM

My Splunk results are returning multiple fields including fields Sunday, Monday, Tuesday .... Saturday.

Now my requirement is if today is Sunday i want to access the value of field name Sunday, if today is Monday i need to access the value of Monday and so on..

Can someone help me in how to access the value of a field using variable ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-28-2017 07:32 AM

Without seeing your query or expected output, my suggestion would be this (the subsearch would return the current weekday value and pass it on to table command.:

your search giving fields for each weekday
| table [| gentimes start=-1 | eval search=strftime(now(),"%A") | table search ]

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-10-2017 02:47 PM

I would do it like this:

| makeresults 
| eval date_wday=strftime(now(), "%A")
| map [search index="YouShouldAlwaysSpecifyAnIndex" sourcetype="AndSourcetypeToo" MyFieldName="$date_wday$"]
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-28-2017 07:35 AM

@sagrl, you can run a dummy search in your dashboard to get today's weekday as a token and then use the same in your other searches in the dashboard.

<search>
    <query>| makeresults
| eval weekDay=lower(strftime(_time,"%A"))
    </query>
    <progress>
       <set token="tokenWeekDay">$result.weekDay$</set>
    </progress>
</search>

Then use the token $tokenWeekDay$ in your other searches in the dashboard:

<single>
    <search>
        <query>| makeresults
    | eval tokenData="$tokenWeekDay$"
    | table tokenData
        </query>
    </search>
</single>

PS: I have changed the weekday to lower case using lower() function. In case your use case is to match this against Splunk's default extracted field date_wday, it should be lowercase. Result of strftime() time modifier%Awould result in Week Days like Sunday, Monday etc. As you have asked in your question. Hence, if you are search for same casing in weekday values, then you do not require lower() function, juststrftime()` should work.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-28-2017 07:32 AM

Without seeing your query or expected output, my suggestion would be this (the subsearch would return the current weekday value and pass it on to table command.:

your search giving fields for each weekday
| table [| gentimes start=-1 | eval search=strftime(now(),"%A") | table search ]
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...