Splunk Search

How to extract a field name as a value?

ssiat479
Engager

My apologies if there is an obvious answer to this question, but I have been searching Splunk answers and the documentation without success.

I am interested in passing a field's name as a value to manipulate with eval in later steps. For example:
FIELD1=value1
lastname=smith

I want the ability to potentially create a new string field via eval with containing both the field name and value of FIELD1. For example:
NEWFIELD="FIELD1 - value1"
details="lastname - smith"

However, I cannot find a way to print the field name of FIELD1 in an eval. I appreciate any help! Thanks.

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

... | foreach lastname [ eval details = "<<FIELD>> - " . <<FIELD>> ]

View solution in original post

woodcock
Esteemed Legend

Like this:

... | foreach lastname [ eval details = "<<FIELD>> - " . <<FIELD>> ]
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...