Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use a columns value as a key to a different column for my results id like to output?

zsaf
Explorer
‎06-29-2022 01:08 PM
 

I have two columns per event I am trying to use. Well call these col1 and UknownRandomColumnName (urcn for short) . The key of urcn changes from event to event, but the value of col1 will always be the key of urcn. How can I use the value of col1 as a key for the data id like to output from urcn in a search. Example data for my events may look like:

=======================
|    col       |    urcn1    |    urcn2    |
======================
|    urcn1 |    Value    |                     |
---------------------------------------
|    urcn2 |                    |     Value    |
--------------------------------------

Labels (2)
Labels
Tags (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-29-2022 01:32 PM

I'm not sure I get what you want but it seems you might need xyseries.

Reply

zsaf
Explorer
‎06-29-2022 01:34 PM

Hey,  my desired output I guess would be a table with the values from the ucrn columns. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-29-2022 11:51 PM

As I said - I'm not sure I understand you correctly, but I assume that you have events in the form of

"name: field1name, value: fieldvalue"
"name: field2name, value: fieldvalue"

And you want to get:

field1name: fieldvalue
field2name: fieldvalue

And so on.

Check untable and xyseries (I always confuse those commands) - one of those should do what you need.

Reply

zsaf
Explorer
‎06-30-2022 07:26 AM

Here would be an example sample of my events.  The type value contains the key of the property I need to display data from. In my example I would like to output the name and age in each object, but I do not know the property name. The only thing I know ahead of time is that the value of type will be the property name I need to access.

{
type: "fwagods",
fwagods: {
    name:"someNameHere",
    age:23
    }
},
{
type: "zsaf",
zsaf: {
    name:"someName2",
    age:65
    }
},
{
type: "smorflafaum",
smorflafaum: {
    name:"SomeName3",
    age:41
    }
}
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-01-2022 12:08 AM

That's getting more complicated because you have json and it looks as if you have multiple "subevents" within a single event.

But assuming that you have the jsons as separate events, you can do something like that:

<your_search>
| spath
| foreach *.name 
  [ eval name='<<FIELD>>'
   | eval age='<<MATCHSTR>>.age' ]

 At this point you'll have your name and age fields with constant names and you're gonna have a type as separate field. Now all you have to do is

| xyseries type name age
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...