Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a field from value of an existing field?

rwiley
Explorer
‎12-01-2016 07:57 AM

i have this search

index=cmedia sourcetype="adspecificsnmp" 
 | rex field=_raw mode=sed "s/=,/=NA,/g"
 | rex field=_raw max_match=0 "(?(\d+\.)+)(?\d+)=(?[^,]+)"
 | eval tempString=mvzip(sP, (mvzip (sS, sV, "~")), "~")
 | mvexpand tempString
 | rex field=tempString "(?[^~]+)~(?[^~]+)~(?(.*))"
 | eval myString=stringPrefix."".stringSuffix
 | lookup ACMCodes.csv Suffix as stringSuffix OUTPUT Description as description
 | table description, stringValue

this is partial result. there are 28 values in all

     description,                  stringValue
1   Version ,                   2
2   Box ,                       0
3   Port    ,                      0
4   NodeNumber,                 1
5   PositioinofSpot,               1
6   ScheduleSpotPosition,         1
7   EventPosition,               4
8   FramesPerSec,                 30
9   Owner,                       0

i need the description as a field with value of stringValue

Version ,       Box ,         Port,            NodeNumber,         PositionofSpot,
      2 ,         0 ,           0 ,                    1 ,                     1 ,

i hope this makes sense

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Flynt
Splunk Employee
Splunk Employee
‎12-01-2016 01:02 PM

A bit shoestringed here but what if you try

|chart list(stringValue)  over stringValue by description|stats list(*) as *|fields - stringValue

For example in the following test search -

|stats count|fields - count|eval description="Version ,", stringValue="2"|append [|stats count|fields - count|eval description="Box ,", stringValue="0"]|chart list(stringValue)  over stringValue by description|stats list(*) as *|fields - stringValue

Version and Box should show up in the same row.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-02-2016 12:32 AM

Hi rwiley,
did you tried with the transpose command?
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

Flynt
Splunk Employee
Splunk Employee
‎12-01-2016 01:02 PM

A bit shoestringed here but what if you try

|chart list(stringValue)  over stringValue by description|stats list(*) as *|fields - stringValue

For example in the following test search -

|stats count|fields - count|eval description="Version ,", stringValue="2"|append [|stats count|fields - count|eval description="Box ,", stringValue="0"]|chart list(stringValue)  over stringValue by description|stats list(*) as *|fields - stringValue

Version and Box should show up in the same row.

0 Karma
Reply
Solved! Jump to solution

rwiley
Explorer
‎12-07-2016 05:48 AM

thanks Flynt! just what i needed. sorry to take so long on reply. got pulled to another project.

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎12-01-2016 12:42 PM

How about you try |eval {description,}=stringValue right at the end which will create a field name for each description, which it sees and then tabulate that using | table (*,)
Explanation here for the eval expression above

 index=cmedia sourcetype="adspecificsnmp" 
  | rex field=_raw mode=sed "s/=,/=NA,/g"
  | rex field=_raw max_match=0 "(?(\d+\.)+)(?\d+)=(?[^,]+)"
  | eval tempString=mvzip(sP, (mvzip (sS, sV, "~")), "~")
  | mvexpand tempString
  | rex field=tempString "(?[^~]+)~(?[^~]+)~(?(.*))"
  | eval myString=stringPrefix."".stringSuffix
  | lookup ACMCodes.csv Suffix as stringSuffix OUTPUT Description as description
  | eval {description,}=stringValue
  | table (*,)
0 Karma
Reply
Solved! Jump to solution

rwiley
Explorer
‎12-01-2016 12:57 PM

This works. but it doesn't bring it in in one row. it brings in the value for stringValue but the rest of the row is empty.

example:
Date SpotID Zone Channel
1 date

2 478393
3 CNN
4 zone

i was hoping to get this
Date SpotID Zone Channel
1 date 478393 zone CNN

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...