Re: How to assemble a field via indirect reference...

dmankin · ‎11-20-2017

I have logs where the these fields exist:

raw_message="Dropped table {table_name}" table_name="jobs"

and I want to add a message field that combines these (probably using eval) like so:

message="Dropped table jobs"

How can I do this for arbitrary expansions in the raw_message? i.e. I don't know the full list of "{field_name}" fields that may appear in arbitrary raw_messages.

If it helps, I can reformat raw_message at the source to use different delimiters.

somesoni2 · ‎11-20-2017

It may not be the complete solution to your problem as your second field names are dynamic, but give this a try (runanywhere search, first line are to generate sample data)

| gentimes start=-1 | eval raw_message="Dropped table {table_name}" | table raw_message | eval table_name="jobs" 
| eval message=replace(raw_message.table_name,"^([\{]+)\{[^\}]+\}(.+)$","\1\2")

How to assemble a field via indirect references to other fields

Can’t make it to .conf25? Join us online!

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Are you a member of the Splunk Community?

How to assemble a field via indirect references to other fields

Can’t make it to .conf25? Join us online!

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain