Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

{} equivalent on right hand side of eval

usd0872
Path Finder
‎12-10-2021 03:52 AM

I hate hardcoding dynamic things. Sooner or later those thing break. I have data with fields

 

... forecast_2020=400, forecast_2021=500, forecast_2022=650, forecast_2023=800 ...

 

and in some search I need to use the correct forecast for the current year.

What I could do is

 

...
| eval year=strftime(now(),"%Y"),
       forecast=case(year==2021, forecast_2021,
                     year==2022, forecast_2022,
                     year==2023, forecast_2023,
                     1==1,       0)

 

This definitely results in problems in 2024; by then I will have a field forecast_2024 but nobody will remember to update the search.

I'd rather use something along these lines:

 

...
| eval year=strftime(now(),"%Y"),
       forecast=coalesce(forecast_{year}, 0)

 

However, the {} trick can only be used on the left hand side in eval. Is there any similar cool trick which works on the right hand side?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-10-2021 04:38 AM

Not exactly since it still uses {} on the left, but using foreach you could do this

| makeresults 
| eval year=strftime(now(),"%Y")
| eval forecast_2021=random()%100


| eval year_{year}=year
| foreach year_*
    [| eval forecast=coalesce(forecast_<<MATCHSTR>>,0)]

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-10-2021 05:09 AM

Ugly but should work. Use foreach.

For example:

| makeresults count=3
| eval a1=2,a2=5,a3=8
| streamstats count
| foreach a* 
   [ eval result=if (<<MATCHSTR>> = count,<<FIELD>>,result)]

 Adjust to your needs (make the condition reference current year) and you're good to go.

0 Karma
Reply
Solved! Jump to solution

usd0872
Path Finder
‎12-10-2021 06:19 AM

Yep, foreach is the way to solve this. Thank you.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-10-2021 04:38 AM

Not exactly since it still uses {} on the left, but using foreach you could do this

| makeresults 
| eval year=strftime(now(),"%Y")
| eval forecast_2021=random()%100


| eval year_{year}=year
| foreach year_*
    [| eval forecast=coalesce(forecast_<<MATCHSTR>>,0)]
0 Karma
Reply
Solved! Jump to solution

usd0872
Path Finder
‎12-10-2021 06:15 AM

Bingo! A good way to achieve the result. It fits my need perfectly, I just could not think of it myself. Thank you.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...