I have data that looks like this:
List_Data Type
A, B, C type_1
.. or it might instead look like this
Totally_Different_Name Type
A, B, C type_2
and I would like to move A,B,C to a different field or just rename the field that its in so that I can work with the list using a common name i.e..
Common_Name Type
A, B, C type_2
I created a lookup file which which identifies the name of the column based on the Type field...
types.csv:
Type Source_Column
type_1 List_Data
type_2 Totally_Different_Name
The idea being that if I get a new type of data I can just add the column name to the lookup file.
So far I have tried things like...
index=whatever
| lookup types.csv Type
| eval target_field_name="Common_Name"
| eval {target_field_name}=Source_Column
But I haven't figured out how to express that I want to set Common_Name equal to "the data contained in the field whose name is the value of the Source_Column field".
Ideally, I would be able to wrap the final solution into a macro so that I can dynamically provide the target_field_name e.g. "Common_Name"
UPDATED:
I think no need lookup CSV.
if the field added, add the argument of coalesce
.
Query:
index=whatever
| eval Common_name = coalesce(List_Data,Totally_Different_Name)
previous answer:
types.csv:
Type Common_name
type_1 A, B, C
type_2 A, B, C
Query:
index=whatever
| lookup types.csv Type OUTPUT Common_name
The A, B, C is not static. It's pulled from each event so I can't just add it to the lookup table.
The edited answer looks like it will work as a decent workaround for my problem. Still hoping to hear back one way or the other about if my original question is possible in Splunk. It seems to me like there should be some supported way to rename "the data contained in the field whose name is the value of the Source_Column field".