Splunk Search
Highlighted

How to extract a field name as a value?

Engager

My apologies if there is an obvious answer to this question, but I have been searching Splunk answers and the documentation without success.

I am interested in passing a field's name as a value to manipulate with eval in later steps. For example:
FIELD1=value1
lastname=smith

I want the ability to potentially create a new string field via eval with containing both the field name and value of FIELD1. For example:
NEWFIELD="FIELD1 - value1"
details="lastname - smith"

However, I cannot find a way to print the field name of FIELD1 in an eval. I appreciate any help! Thanks.

0 Karma
Highlighted

Re: How to extract a field name as a value?

Esteemed Legend

Like this:

... | foreach lastname [ eval details = "<<FIELD>> - " . <<FIELD>> ]

View solution in original post