Splunk Search

Using a column of field names to dynamically select fields for use in eval expression

dvanderlaan
New Member

Hi.

Suppose my search generates the first 4 columns from the following table:

field1  field2  field3  lookup  result
x1      y1      z1      field1  x1
x2      y2      z2      field3  z2
x3      y3      z3      field2  y3

I would like to create the result column using values from lookup to specify which fieldX to extract the result value from.

So if I have an expression like ...| eval result=lookup, what do I need to wrap around the lookup to achieve the the result column in the table above?

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval raw="x1 y1 z1 field1 x1::x2 y2 z2 field3 z2::x3 y3 z3 field2 y3" 
| makemv delim="::" raw 
| mvexpand raw 
| rex field=raw "(?<field1>\S+)\s+(?<field2>\S+)\s+(?<field3>\S+)\s+(?<lookup>\S+)\s+(?<expected_result>\S+)"
| fields - raw _time

| rename COMMENT AS "Everything above fakes sample data; everything below is your solution."

| eval result="N/A"
| foreach field* [eval result=if(lookup="<<FIELD>>", $<<FIELD>>$, result)]

View solution in original post

0 Karma

sbarr0
Explorer

Try this new AddOn: https://splunkbase.splunk.com/app/4597/

It does exactly what you are looking for. 🙂

| makeresults 
| eval Field1=1
| eval Field2=2
| eval Field3=3
| eval Field4=4
| eval pointer_field="Field4"
| pointerset newField pointer="pointer_field"
Field1  Field2  Field3  Field4  pointer_field   newField    
1           2       3       4       Field4          4
0 Karma

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval raw="x1 y1 z1 field1 x1::x2 y2 z2 field3 z2::x3 y3 z3 field2 y3" 
| makemv delim="::" raw 
| mvexpand raw 
| rex field=raw "(?<field1>\S+)\s+(?<field2>\S+)\s+(?<field3>\S+)\s+(?<lookup>\S+)\s+(?<expected_result>\S+)"
| fields - raw _time

| rename COMMENT AS "Everything above fakes sample data; everything below is your solution."

| eval result="N/A"
| foreach field* [eval result=if(lookup="<<FIELD>>", $<<FIELD>>$, result)]
0 Karma

DalJeanis
Legend

It seems over complicated, but this should accomplish the need...

 | rename lookup to mylookup
 | appendpipe 
    [| map search="| makeresults | eval field1=$field1$ | eval field2=$field2$ | eval field3=$field3$ | eval result=$lookup$ | table field1 field2 field3 mylookup result" 
    | dedup field1 field2 field3 mylookup 
    | outputcsv mytemp.csv 
    | where false()
     ]
 | join type=left field1 field2 field3 mylookup [| inputcsv mytemp.csv ]
0 Karma

dvanderlaan
New Member

Ideally I'm hoping for a solution which would scale well with large numbers of fieldX columns. Sorry, I could have been more clear in the question.

For example, ... | eval {lookup} = blargh uses values from one field to specify the name of another field. So I was hoping that something like ... | eval result = {lookup} might work, but doesn't.

Is there anything like this in SPL?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Assuming you already have field1, field2, field3, and lookup, you should be able to get result with case.

... | eval result = case(lookup="field1", field1, lookup="field2",field2, lookup="field3",field3, 1=1,"oops")
---
If this reply helps you, Karma would be appreciated.
0 Karma

dvanderlaan
New Member

Thanks a lot for your answer rich. It's certainly a solution to my question, but not quite what I was hoping for. I've added a comment to clarify what I'm looking for

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...