Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

{} equivalent on right hand side of eval

usd0872
Path Finder
‎12-10-2021 03:52 AM

I hate hardcoding dynamic things. Sooner or later those thing break. I have data with fields

 

... forecast_2020=400, forecast_2021=500, forecast_2022=650, forecast_2023=800 ...

 

and in some search I need to use the correct forecast for the current year.

What I could do is

 

...
| eval year=strftime(now(),"%Y"),
       forecast=case(year==2021, forecast_2021,
                     year==2022, forecast_2022,
                     year==2023, forecast_2023,
                     1==1,       0)

 

This definitely results in problems in 2024; by then I will have a field forecast_2024 but nobody will remember to update the search.

I'd rather use something along these lines:

 

...
| eval year=strftime(now(),"%Y"),
       forecast=coalesce(forecast_{year}, 0)

 

However, the {} trick can only be used on the left hand side in eval. Is there any similar cool trick which works on the right hand side?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-10-2021 04:38 AM

Not exactly since it still uses {} on the left, but using foreach you could do this

| makeresults 
| eval year=strftime(now(),"%Y")
| eval forecast_2021=random()%100


| eval year_{year}=year
| foreach year_*
    [| eval forecast=coalesce(forecast_<<MATCHSTR>>,0)]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-10-2021 05:09 AM

Ugly but should work. Use foreach.

For example:

| makeresults count=3
| eval a1=2,a2=5,a3=8
| streamstats count
| foreach a* 
   [ eval result=if (<<MATCHSTR>> = count,<<FIELD>>,result)]

 Adjust to your needs (make the condition reference current year) and you're good to go.

0 Karma
Reply
Solved! Jump to solution

usd0872
Path Finder
‎12-10-2021 06:19 AM

Yep, foreach is the way to solve this. Thank you.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-10-2021 04:38 AM

Not exactly since it still uses {} on the left, but using foreach you could do this

| makeresults 
| eval year=strftime(now(),"%Y")
| eval forecast_2021=random()%100


| eval year_{year}=year
| foreach year_*
    [| eval forecast=coalesce(forecast_<<MATCHSTR>>,0)]
0 Karma
Reply
Solved! Jump to solution

usd0872
Path Finder
‎12-10-2021 06:15 AM

Bingo! A good way to achieve the result. It fits my need perfectly, I just could not think of it myself. Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...