Solved: Re: similar field names function

jbanAtSplunk · ‎09-11-2022

Hi,

Just curios if this is possible as I have interesting challenge.

So, I have extracted fields, key=value

id0=0000, id1=1111, id2=2222,inN=NNNN,zone0=zone0,zone1=zone1,zone2=zone2,zoneN=zoneN
Now I want to create new field that is like this just number AutoIncrements
| eval example0 = id0 + " location:" + zone0

My challenge is, how to make that more "automatic" as I don't know the number "N" in event and want to automate this new field so for every exampleN i have the same eval example.
I mean it'll be a little more complicated as I'll create some case statement in eval but inital challange is how to automate it on simpler just string scenario.

bowesmana · ‎09-11-2022

Use foreach. This example demonstrates how to do it, you can run it in the search window, but the last line is the one you want.

| makeresults
``` Create some dummy data with a random number of n ```
| eval n=mvrange(0, random() % 10, 1)
| mvexpand n
| eval id{n}=printf("%04d", random() % 10000), zone{n}=printf("zone%d", n)
``` Join all these values back to a single row ```
| stats values(*) as *
| fields - n
``` Now we have the dummy data, use foreach ```
| foreach id* [ eval "example<<MATCHSTR>>"='<<FIELD>>'." location:".'zone<<MATCHSTR>>' ]

View solution in original post

bowesmana · ‎09-11-2022

Use foreach. This example demonstrates how to do it, you can run it in the search window, but the last line is the one you want.

| makeresults
``` Create some dummy data with a random number of n ```
| eval n=mvrange(0, random() % 10, 1)
| mvexpand n
| eval id{n}=printf("%04d", random() % 10000), zone{n}=printf("zone%d", n)
``` Join all these values back to a single row ```
| stats values(*) as *
| fields - n
``` Now we have the dummy data, use foreach ```
| foreach id* [ eval "example<<MATCHSTR>>"='<<FIELD>>'." location:".'zone<<MATCHSTR>>' ]

bowesmana · ‎09-11-2022

This is one of the great things you can do, if you use a well defined field naming convention. As you can see in this example, the * in the foreach statement will 'capture' the matching part of the string, so 0, 1, 2 etc from the name of the id field.

This captured value is then substituted when the <<MATCHSTR>> operator is used.

Note that it is important to use single quotes round the right hand side of the eval statement fields, so it can handle field names containing odd characters - although not critical in your case, but a useful practice.

jbanAtSplunk · ‎09-12-2022

I don't think that that is what I need. Stats are not good for my use case in that early stage.

Basically, what I did with 15 evals is building an variable that is comma separated string as then it's makemv and mvexpand.

As I need all this id0,id1,id2... expanded as id.
basically,
id0=0000, id1=1111, id2=2222,inN=NNNN,zone0=zone0,zone1=zone1,zone2=zone2,zoneN=zoneN

That one event need's to become/expand to N events
--id---|--zone--
0000|zone0
1111|zone1
2222|zone2
NNNN|zoneN

Now I can map and create automatic allowlist rule base on case if logic, logic is not that hard to write. End result is like.
"Allowlist id=" + id + " zone=" + zone + " URL=" + url ...

jbanAtSplunk · ‎09-12-2022

Sry, It's working. I needed only this ForEach command.

Is there a way to "automate" similar field names function?

eval

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?