Splunk Search

Is there a way to "automate" similar field names function?

jbanAtSplunk
Path Finder

Hi,

Just curios if this is possible as I have interesting challenge.

So, I have extracted fields, key=value

id0=0000, id1=1111, id2=2222,inN=NNNN,zone0=zone0,zone1=zone1,zone2=zone2,zoneN=zoneN
Now I want to create new field that is like this just number AutoIncrements
| eval example0 = id0 + " location:" + zone0


My challenge is, how to make that more "automatic" as I don't know the number "N" in event and want to automate this new field so for every exampleN i have the same eval example.
I mean it'll be a little more complicated as I'll create some case statement in eval but inital challange is how to automate it on simpler just string scenario.

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Use foreach. This example demonstrates how to do it, you can run it in the search window, but the last line is the one you want.

| makeresults
``` Create some dummy data with a random number of n ```
| eval n=mvrange(0, random() % 10, 1)
| mvexpand n
| eval id{n}=printf("%04d", random() % 10000), zone{n}=printf("zone%d", n)
``` Join all these values back to a single row ```
| stats values(*) as *
| fields - n
``` Now we have the dummy data, use foreach ```
| foreach id* [ eval "example<<MATCHSTR>>"='<<FIELD>>'." location:".'zone<<MATCHSTR>>' ]

 

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Use foreach. This example demonstrates how to do it, you can run it in the search window, but the last line is the one you want.

| makeresults
``` Create some dummy data with a random number of n ```
| eval n=mvrange(0, random() % 10, 1)
| mvexpand n
| eval id{n}=printf("%04d", random() % 10000), zone{n}=printf("zone%d", n)
``` Join all these values back to a single row ```
| stats values(*) as *
| fields - n
``` Now we have the dummy data, use foreach ```
| foreach id* [ eval "example<<MATCHSTR>>"='<<FIELD>>'." location:".'zone<<MATCHSTR>>' ]

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

This is one of the great things you can do, if you use a well defined field naming convention. As you can see in this example, the * in the foreach statement will 'capture' the matching part of the string, so 0, 1, 2 etc from the name of the id field.

This captured value is then substituted when the <<MATCHSTR>> operator is used.

Note that it is important to use single quotes round the right hand side of the eval statement fields, so it can handle field names containing odd characters - although not critical in your case, but a useful practice.

0 Karma

jbanAtSplunk
Path Finder

I don't think that that is what I need. Stats are not good for my use case in that early stage.

Basically, what I did with 15 evals is building an variable that is comma separated string as then it's makemv and mvexpand.

As I need all this id0,id1,id2... expanded as id.
basically,
id0=0000, id1=1111, id2=2222,inN=NNNN,zone0=zone0,zone1=zone1,zone2=zone2,zoneN=zoneN

That one event need's to become/expand to N events
--id---|--zone--
0000|zone0
1111|zone1
2222|zone2
NNNN|zoneN

Now I can map and create automatic allowlist rule base on case if logic, logic is not that hard to write. End result is like.
"Allowlist id=" + id + " zone=" + zone + " URL=" + url ...

0 Karma

jbanAtSplunk
Path Finder

Sry, It's working. I needed only this ForEach command.

0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...