Splunk Search

How to extract a field name as a value?


My apologies if there is an obvious answer to this question, but I have been searching Splunk answers and the documentation without success.

I am interested in passing a field's name as a value to manipulate with eval in later steps. For example:

I want the ability to potentially create a new string field via eval with containing both the field name and value of FIELD1. For example:
NEWFIELD="FIELD1 - value1"
details="lastname - smith"

However, I cannot find a way to print the field name of FIELD1 in an eval. I appreciate any help! Thanks.

0 Karma

Re: How to extract a field name as a value?

Esteemed Legend

Like this:

... | foreach lastname [ eval details = "<<FIELD>> - " . <<FIELD>> ]

View solution in original post