Splunk Search

Is there a way to "automate" similar field names function?

jbanAtSplunk
Communicator

Hi,

Just curios if this is possible as I have interesting challenge.

So, I have extracted fields, key=value

id0=0000, id1=1111, id2=2222,inN=NNNN,zone0=zone0,zone1=zone1,zone2=zone2,zoneN=zoneN
Now I want to create new field that is like this just number AutoIncrements
| eval example0 = id0 + " location:" + zone0


My challenge is, how to make that more "automatic" as I don't know the number "N" in event and want to automate this new field so for every exampleN i have the same eval example.
I mean it'll be a little more complicated as I'll create some case statement in eval but inital challange is how to automate it on simpler just string scenario.

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Use foreach. This example demonstrates how to do it, you can run it in the search window, but the last line is the one you want.

| makeresults
``` Create some dummy data with a random number of n ```
| eval n=mvrange(0, random() % 10, 1)
| mvexpand n
| eval id{n}=printf("%04d", random() % 10000), zone{n}=printf("zone%d", n)
``` Join all these values back to a single row ```
| stats values(*) as *
| fields - n
``` Now we have the dummy data, use foreach ```
| foreach id* [ eval "example<<MATCHSTR>>"='<<FIELD>>'." location:".'zone<<MATCHSTR>>' ]

 

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Use foreach. This example demonstrates how to do it, you can run it in the search window, but the last line is the one you want.

| makeresults
``` Create some dummy data with a random number of n ```
| eval n=mvrange(0, random() % 10, 1)
| mvexpand n
| eval id{n}=printf("%04d", random() % 10000), zone{n}=printf("zone%d", n)
``` Join all these values back to a single row ```
| stats values(*) as *
| fields - n
``` Now we have the dummy data, use foreach ```
| foreach id* [ eval "example<<MATCHSTR>>"='<<FIELD>>'." location:".'zone<<MATCHSTR>>' ]

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

This is one of the great things you can do, if you use a well defined field naming convention. As you can see in this example, the * in the foreach statement will 'capture' the matching part of the string, so 0, 1, 2 etc from the name of the id field.

This captured value is then substituted when the <<MATCHSTR>> operator is used.

Note that it is important to use single quotes round the right hand side of the eval statement fields, so it can handle field names containing odd characters - although not critical in your case, but a useful practice.

0 Karma

jbanAtSplunk
Communicator

I don't think that that is what I need. Stats are not good for my use case in that early stage.

Basically, what I did with 15 evals is building an variable that is comma separated string as then it's makemv and mvexpand.

As I need all this id0,id1,id2... expanded as id.
basically,
id0=0000, id1=1111, id2=2222,inN=NNNN,zone0=zone0,zone1=zone1,zone2=zone2,zoneN=zoneN

That one event need's to become/expand to N events
--id---|--zone--
0000|zone0
1111|zone1
2222|zone2
NNNN|zoneN

Now I can map and create automatic allowlist rule base on case if logic, logic is not that hard to write. End result is like.
"Allowlist id=" + id + " zone=" + zone + " URL=" + url ...

0 Karma

jbanAtSplunk
Communicator

Sry, It's working. I needed only this ForEach command.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...