Splunk Search

Is there any Splunk search command to get the Field Value using just a string token?

vganjare
Builder

Hi,

Is there any splunk search command which can be used to get the Field Value using just a string token? Something like

...|eval fieldValue=getValue("FieldName")

Thanks!!

Tags (3)

Runals
Motivator

I don't know that I fully understand your use case but it sounds like you want to use a macro. This would allow you to pass a field to it in the course of your search and have a standard output. In your macro you can put pipes and all that business but if it is a one command macro I tend to not do that and put the pipe in the search as it looks more natural.

Macro
Name: getSomeFieldValue(1) #you need to put a number in the name like this for each field you are going to pass
Definition: eval fieldValue = $somefield$
Arguments: somefield

When you call the macro in the query you will need to start and end it with left ticks (not single quotes; usually left of the 1 key)

sourcetype=foo bar=* | `getSomeFieldValue(bar)` | stats count by fieldValue
0 Karma

vganjare
Builder

Hi,

If the field name is known upfront, then above solution work fine. But, if the field name is coming from dashboard user, then we dont have any direct way of fetching the field by using string token. e.g. following is the incidents occured in last 5 months.
Jan | Feb | Mar | Apr | May
20 | 15 | 8 | 17 | 22

Now, the user can select any one of the month and it will be copied in a field "selectedMonth". What ever is the month selected, i.e. Mar, we want to pull the information from "Mar" field and display it to user.

This is just an example. Using a custom search command, this can be achieved very easily, but wanted to check if this is already supported in SPL.

Thanks!!

0 Karma

Runals
Motivator

I wondered if that was the overarching use case. The solution options somewhat depends on the version of Splunk you are running. I suggest downloading an app called Splunk Dashboard Examples which will show you how to achieve what you are after. Up through 6.1 you can control the drill down behavior so that if a user clicks elements on a dashboard panel they would open a new dashboard with values from whatever they clicked on the first (passing a token). In 6.2 you are able to pass those tokens to other panels within the same dashboard. I'd give you an example but the example app is REALLY well done IMO and covers this well.

0 Karma

stephanefotso
Motivator

Hello! How a bout just give the value of fieldName directly to fieldValue?

..|eval fieldValue=FieldName

Notice that i did not use "FieldName "

SGF
0 Karma

vganjare
Builder

In some cases, we don't know what FieldName we want to search for. FieldName token is not available upfront.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...