Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is there any Splunk search command to get the Field Value using just a string token?

vganjare
Builder
‎04-27-2015 11:38 PM

Hi,

Is there any splunk search command which can be used to get the Field Value using just a string token? Something like 

...|eval fieldValue=getValue("FieldName")

Thanks!!

Tags (3)
Reply

Runals
Motivator
‎04-28-2015 04:45 AM

I don't know that I fully understand your use case but it sounds like you want to use a macro. This would allow you to pass a field to it in the course of your search and have a standard output. In your macro you can put pipes and all that business but if it is a one command macro I tend to not do that and put the pipe in the search as it looks more natural.

Macro
Name: getSomeFieldValue(1) #you need to put a number in the name like this for each field you are going to pass
Definition: eval fieldValue = $somefield$
Arguments: somefield

When you call the macro in the query you will need to start and end it with left ticks (not single quotes; usually left of the 1 key)

sourcetype=foo bar=* | `getSomeFieldValue(bar)` | stats count by fieldValue
0 Karma
Reply

vganjare
Builder
‎04-28-2015 11:23 PM

Hi,

If the field name is known upfront, then above solution work fine. But, if the field name is coming from dashboard user, then we dont have any direct way of fetching the field by using string token. e.g. following is the incidents occured in last 5 months.
Jan | Feb | Mar | Apr | May
20 | 15 | 8 | 17 | 22

Now, the user can select any one of the month and it will be copied in a field "selectedMonth". What ever is the month selected, i.e. Mar, we want to pull the information from "Mar" field and display it to user.

This is just an example. Using a custom search command, this can be achieved very easily, but wanted to check if this is already supported in SPL.

Thanks!!

0 Karma
Reply

Runals
Motivator
‎04-29-2015 03:59 AM

I wondered if that was the overarching use case. The solution options somewhat depends on the version of Splunk you are running. I suggest downloading an app called Splunk Dashboard Examples which will show you how to achieve what you are after. Up through 6.1 you can control the drill down behavior so that if a user clicks elements on a dashboard panel they would open a new dashboard with values from whatever they clicked on the first (passing a token). In 6.2 you are able to pass those tokens to other panels within the same dashboard. I'd give you an example but the example app is REALLY well done IMO and covers this well.

0 Karma
Reply

stephanefotso
Motivator
‎04-28-2015 12:09 AM

Hello! How a bout just give the value of fieldName directly to fieldValue?

..|eval fieldValue=FieldName

Notice that i did not use "FieldName "

SGF
0 Karma
Reply

vganjare
Builder
‎04-28-2015 12:15 AM

In some cases, we don't know what FieldName we want to search for. FieldName token is not available upfront.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...