Solved: Re: Using a column of field names to dynamically s...

dvanderlaan · ‎05-05-2017

Hi.

Suppose my search generates the first 4 columns from the following table:

field1  field2  field3  lookup  result
x1      y1      z1      field1  x1
x2      y2      z2      field3  z2
x3      y3      z3      field2  y3

I would like to create the result column using values from lookup to specify which fieldX to extract the result value from.

So if I have an expression like ...| eval result=lookup, what do I need to wrap around the lookup to achieve the the result column in the table above?

woodcock · ‎05-06-2017

Like this:

| makeresults 
| eval raw="x1 y1 z1 field1 x1::x2 y2 z2 field3 z2::x3 y3 z3 field2 y3" 
| makemv delim="::" raw 
| mvexpand raw 
| rex field=raw "(?<field1>\S+)\s+(?<field2>\S+)\s+(?<field3>\S+)\s+(?<lookup>\S+)\s+(?<expected_result>\S+)"
| fields - raw _time

| rename COMMENT AS "Everything above fakes sample data; everything below is your solution."

| eval result="N/A"
| foreach field* [eval result=if(lookup="<<FIELD>>", $<<FIELD>>$, result)]

View solution in original post

sbarr0 · ‎07-19-2019

Try this new AddOn: https://splunkbase.splunk.com/app/4597/

It does exactly what you are looking for. 🙂

| makeresults 
| eval Field1=1
| eval Field2=2
| eval Field3=3
| eval Field4=4
| eval pointer_field="Field4"
| pointerset newField pointer="pointer_field"

Field1  Field2  Field3  Field4  pointer_field   newField    
1           2       3       4       Field4          4

woodcock · ‎05-06-2017

Like this:

| makeresults 
| eval raw="x1 y1 z1 field1 x1::x2 y2 z2 field3 z2::x3 y3 z3 field2 y3" 
| makemv delim="::" raw 
| mvexpand raw 
| rex field=raw "(?<field1>\S+)\s+(?<field2>\S+)\s+(?<field3>\S+)\s+(?<lookup>\S+)\s+(?<expected_result>\S+)"
| fields - raw _time

| rename COMMENT AS "Everything above fakes sample data; everything below is your solution."

| eval result="N/A"
| foreach field* [eval result=if(lookup="<<FIELD>>", $<<FIELD>>$, result)]

DalJeanis · ‎05-05-2017

It seems over complicated, but this should accomplish the need...

 | rename lookup to mylookup
 | appendpipe 
    [| map search="| makeresults | eval field1=$field1$ | eval field2=$field2$ | eval field3=$field3$ | eval result=$lookup$ | table field1 field2 field3 mylookup result" 
    | dedup field1 field2 field3 mylookup 
    | outputcsv mytemp.csv 
    | where false()
     ]
 | join type=left field1 field2 field3 mylookup [| inputcsv mytemp.csv ]

dvanderlaan · ‎05-05-2017

Ideally I'm hoping for a solution which would scale well with large numbers of fieldX columns. Sorry, I could have been more clear in the question.

For example, ... | eval {lookup} = blargh uses values from one field to specify the name of another field. So I was hoping that something like ... | eval result = {lookup} might work, but doesn't.

Is there anything like this in SPL?

richgalloway · ‎05-05-2017

Assuming you already have field1, field2, field3, and lookup, you should be able to get result with case.

... | eval result = case(lookup="field1", field1, lookup="field2",field2, lookup="field3",field3, 1=1,"oops")

---
If this reply helps you, Karma would be appreciated.

dvanderlaan · ‎05-05-2017

Thanks a lot for your answer rich. It's certainly a solution to my question, but not quite what I was hoping for. I've added a comment to clarify what I'm looking for

Using a column of field names to dynamically select fields for use in eval expression

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!