Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use a columns value as a key to a different column for my results id like to output?

zsaf
Explorer
‎06-29-2022 01:08 PM
 

I have two columns per event I am trying to use. Well call these col1 and UknownRandomColumnName (urcn for short) . The key of urcn changes from event to event, but the value of col1 will always be the key of urcn. How can I use the value of col1 as a key for the data id like to output from urcn in a search. Example data for my events may look like:

=======================
|    col       |    urcn1    |    urcn2    |
======================
|    urcn1 |    Value    |                     |
---------------------------------------
|    urcn2 |                    |     Value    |
--------------------------------------

Labels (2)
Labels
Tags (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-29-2022 01:32 PM

I'm not sure I get what you want but it seems you might need xyseries.

Reply

zsaf
Explorer
‎06-29-2022 01:34 PM

Hey,  my desired output I guess would be a table with the values from the ucrn columns. 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-29-2022 11:51 PM

As I said - I'm not sure I understand you correctly, but I assume that you have events in the form of

"name: field1name, value: fieldvalue"
"name: field2name, value: fieldvalue"

And you want to get:

field1name: fieldvalue
field2name: fieldvalue

And so on.

Check untable and xyseries (I always confuse those commands) - one of those should do what you need.

Reply

zsaf
Explorer
‎06-30-2022 07:26 AM

Here would be an example sample of my events.  The type value contains the key of the property I need to display data from. In my example I would like to output the name and age in each object, but I do not know the property name. The only thing I know ahead of time is that the value of type will be the property name I need to access.

{
type: "fwagods",
fwagods: {
    name:"someNameHere",
    age:23
    }
},
{
type: "zsaf",
zsaf: {
    name:"someName2",
    age:65
    }
},
{
type: "smorflafaum",
smorflafaum: {
    name:"SomeName3",
    age:41
    }
}
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-01-2022 12:08 AM

That's getting more complicated because you have json and it looks as if you have multiple "subevents" within a single event.

But assuming that you have the jsons as separate events, you can do something like that:

<your_search>
| spath
| foreach *.name 
  [ eval name='<<FIELD>>'
   | eval age='<<MATCHSTR>>.age' ]

 At this point you'll have your name and age fields with constant names and you're gonna have a type as separate field. Now all you have to do is

| xyseries type name age
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...