Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to assemble a field via indirect references to other fields

dmankin
New Member
‎11-20-2017 03:59 PM

I have logs where the these fields exist:

raw_message="Dropped table {table_name}" table_name="jobs"

and I want to add a message field that combines these (probably using eval) like so:

message="Dropped table jobs"

How can I do this for arbitrary expansions in the raw_message? i.e. I don't know the full list of "{field_name}" fields that may appear in arbitrary raw_messages.

If it helps, I can reformat raw_message at the source to use different delimiters.

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎11-20-2017 04:31 PM

It may not be the complete solution to your problem as your second field names are dynamic, but give this a try (runanywhere search, first line are to generate sample data)

| gentimes start=-1 | eval raw_message="Dropped table {table_name}" | table raw_message | eval table_name="jobs" 
| eval message=replace(raw_message.table_name,"^([\{]+)\{[^\}]+\}(.+)$","\1\2")
0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...