Splunk Search
Highlighted

Using a column of field names to dynamically select fields for use in eval expression

New Member

Hi.

Suppose my search generates the first 4 columns from the following table:

field1  field2  field3  lookup  result
x1      y1      z1      field1  x1
x2      y2      z2      field3  z2
x3      y3      z3      field2  y3

I would like to create the result column using values from lookup to specify which fieldX to extract the result value from.

So if I have an expression like ...| eval result=lookup, what do I need to wrap around the lookup to achieve the the result column in the table above?

Tags (1)
0 Karma
Highlighted

Re: Using a column of field names to dynamically select fields for use in eval expression

SplunkTrust
SplunkTrust

Assuming you already have field1, field2, field3, and lookup, you should be able to get result with case.

... | eval result = case(lookup="field1", field1, lookup="field2",field2, lookup="field3",field3, 1=1,"oops")
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Using a column of field names to dynamically select fields for use in eval expression

New Member

Thanks a lot for your answer rich. It's certainly a solution to my question, but not quite what I was hoping for. I've added a comment to clarify what I'm looking for

0 Karma
Highlighted

Re: Using a column of field names to dynamically select fields for use in eval expression

New Member

Ideally I'm hoping for a solution which would scale well with large numbers of fieldX columns. Sorry, I could have been more clear in the question.

For example, ... | eval {lookup} = blargh uses values from one field to specify the name of another field. So I was hoping that something like ... | eval result = {lookup} might work, but doesn't.

Is there anything like this in SPL?

0 Karma
Highlighted

Re: Using a column of field names to dynamically select fields for use in eval expression

SplunkTrust
SplunkTrust

It seems over complicated, but this should accomplish the need...

 | rename lookup to mylookup
 | appendpipe 
    [| map search="| makeresults | eval field1=$field1$ | eval field2=$field2$ | eval field3=$field3$ | eval result=$lookup$ | table field1 field2 field3 mylookup result" 
    | dedup field1 field2 field3 mylookup 
    | outputcsv mytemp.csv 
    | where false()
     ]
 | join type=left field1 field2 field3 mylookup [| inputcsv mytemp.csv ]
0 Karma
Highlighted

Re: Using a column of field names to dynamically select fields for use in eval expression

Esteemed Legend

Like this:

| makeresults 
| eval raw="x1 y1 z1 field1 x1::x2 y2 z2 field3 z2::x3 y3 z3 field2 y3" 
| makemv delim="::" raw 
| mvexpand raw 
| rex field=raw "(?<field1>\S+)\s+(?<field2>\S+)\s+(?<field3>\S+)\s+(?<lookup>\S+)\s+(?<expected_result>\S+)"
| fields - raw _time

| rename COMMENT AS "Everything above fakes sample data; everything below is your solution."

| eval result="N/A"
| foreach field* [eval result=if(lookup="<<FIELD>>", $<<FIELD>>$, result)]

View solution in original post

0 Karma
Highlighted

Re: Using a column of field names to dynamically select fields for use in eval expression

Explorer

Try this new AddOn: https://splunkbase.splunk.com/app/4597/

It does exactly what you are looking for. 🙂

| makeresults 
| eval Field1=1
| eval Field2=2
| eval Field3=3
| eval Field4=4
| eval pointer_field="Field4"
| pointerset newField pointer="pointer_field"
Field1  Field2  Field3  Field4  pointer_field   newField    
1           2       3       4       Field4          4
0 Karma