Splunk Search

How to extract a field name as a value?

ssiat479
Engager

My apologies if there is an obvious answer to this question, but I have been searching Splunk answers and the documentation without success.

I am interested in passing a field's name as a value to manipulate with eval in later steps. For example:
FIELD1=value1
lastname=smith

I want the ability to potentially create a new string field via eval with containing both the field name and value of FIELD1. For example:
NEWFIELD="FIELD1 - value1"
details="lastname - smith"

However, I cannot find a way to print the field name of FIELD1 in an eval. I appreciate any help! Thanks.

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

... | foreach lastname [ eval details = "<<FIELD>> - " . <<FIELD>> ]

View solution in original post

woodcock
Esteemed Legend

Like this:

... | foreach lastname [ eval details = "<<FIELD>> - " . <<FIELD>> ]
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...