Hi.
Suppose my search generates the first 4 columns from the following table:
field1 field2 field3 lookup result
x1 y1 z1 field1 x1
x2 y2 z2 field3 z2
x3 y3 z3 field2 y3
I would like to create the result column using values from lookup to specify which fieldX to extract the result value from.
So if I have an expression like ...| eval result=lookup
, what do I need to wrap around the lookup
to achieve the the result column in the table above?
Like this:
| makeresults
| eval raw="x1 y1 z1 field1 x1::x2 y2 z2 field3 z2::x3 y3 z3 field2 y3"
| makemv delim="::" raw
| mvexpand raw
| rex field=raw "(?<field1>\S+)\s+(?<field2>\S+)\s+(?<field3>\S+)\s+(?<lookup>\S+)\s+(?<expected_result>\S+)"
| fields - raw _time
| rename COMMENT AS "Everything above fakes sample data; everything below is your solution."
| eval result="N/A"
| foreach field* [eval result=if(lookup="<<FIELD>>", $<<FIELD>>$, result)]
Try this new AddOn: https://splunkbase.splunk.com/app/4597/
It does exactly what you are looking for. 🙂
| makeresults | eval Field1=1 | eval Field2=2 | eval Field3=3 | eval Field4=4 | eval pointer_field="Field4" | pointerset newField pointer="pointer_field"
Field1 Field2 Field3 Field4 pointer_field newField 1 2 3 4 Field4 4
Like this:
| makeresults
| eval raw="x1 y1 z1 field1 x1::x2 y2 z2 field3 z2::x3 y3 z3 field2 y3"
| makemv delim="::" raw
| mvexpand raw
| rex field=raw "(?<field1>\S+)\s+(?<field2>\S+)\s+(?<field3>\S+)\s+(?<lookup>\S+)\s+(?<expected_result>\S+)"
| fields - raw _time
| rename COMMENT AS "Everything above fakes sample data; everything below is your solution."
| eval result="N/A"
| foreach field* [eval result=if(lookup="<<FIELD>>", $<<FIELD>>$, result)]
It seems over complicated, but this should accomplish the need...
| rename lookup to mylookup
| appendpipe
[| map search="| makeresults | eval field1=$field1$ | eval field2=$field2$ | eval field3=$field3$ | eval result=$lookup$ | table field1 field2 field3 mylookup result"
| dedup field1 field2 field3 mylookup
| outputcsv mytemp.csv
| where false()
]
| join type=left field1 field2 field3 mylookup [| inputcsv mytemp.csv ]
Ideally I'm hoping for a solution which would scale well with large numbers of fieldX columns. Sorry, I could have been more clear in the question.
For example, ... | eval {lookup} = blargh
uses values from one field to specify the name of another field. So I was hoping that something like ... | eval result = {lookup}
might work, but doesn't.
Is there anything like this in SPL?
Assuming you already have field1, field2, field3, and lookup, you should be able to get result with case
.
... | eval result = case(lookup="field1", field1, lookup="field2",field2, lookup="field3",field3, 1=1,"oops")
Thanks a lot for your answer rich. It's certainly a solution to my question, but not quite what I was hoping for. I've added a comment to clarify what I'm looking for