Splunk Search

how do I create a variable(or new field name) with its value another field name

HattrickNZ
Motivator

This is my sample search/data:

  | makeresults 
     | eval data = "
     1    2017-12-01 00:00:00    A    0    131033    84.1;
    2    2017-12-01 00:30:00    B    0    23627    95;
    3    2017-12-01 00:45:00    C    0    117185    99.6;
    " 
     | makemv delim=";" data 
     | mvexpand data
     | rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+-\d+ \d+:\d+:\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)"
     | fields + date serial type attempts successfullAttempts sr 
     | rename date as _time 
     | search serial=*
 | eval x = "successfullAttempts"

And this is what I want, just for illustration.

    _time   serial  type    attempts    successfullAttempts sr  x
1   2017-12-01 00:00:00 1   A   0   131033  84  successfullAttempts
2   2017-12-01 00:30:00 2   B   0   23627   95  successfullAttempts
3   2017-12-01 00:45:00 3   C   0   117185  99  successfullAttempts

But what I am trying to do is be able to get the field name e.g. successfullAttempts as the value of another field name e.g. x.

So, given some data, how do I create a variable(or new field name) with its value another field name?
Hope that explains it.
One option, that may or not help explain it, is to appendcols [search .... | stats values(fieldnameThatHasTheValueOfInterest) as x]

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Try this:

Use the value of one field as the name for a new field
In this example, use each value of the field counter to make a new field name. Assign to the new field the value of the Value field. See Field names under the Usage section.

index=perfmon sourcetype=Perfmon* counter=* Value=* | eval {counter} = Value

Link to the documentation on this topic.

carbdb
Explorer

thanks, saved me loads of redundant coding!

i.e. elegant new solution setting dashboard tokens:

| sort 0 area -error_rate | dedup area
| eval x=area+"_service_id" | eval {x} = service_id | fields - x service_id
| eval x=area+"_service" | eval {x} = service | fields - x service
| eval x=area+"_value" | eval {x} = error_rate | fields - x error_rate
| eval x=area+"_color" | eval {x} = color | fields - x color
| fields - area _time
| stats values(*) as *
0 Karma

HattrickNZ
Motivator

tks, I don't see any new fields in my Interesting fields list.
also that link is to this page.

0 Karma

mayurr98
Super Champion

I guess you want something like this

| makeresults 
| eval data = "
      1    2017-12-01 00:00:00    A    0    131033    84.1;
     2    2017-12-01 00:30:00    B    0    23627    95;
     3    2017-12-01 00:45:00    C    0    117185    99.6;
     " 
| makemv delim=";" data 
| mvexpand data 
| rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+-\d+ \d+:\d+:\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)" 
| fields + date serial type attempts successfullAttempts sr 
| rename date as _time 
| search serial=* 
| append 
    [| makeresults 
    | eval failed="1"] 
| eval x =case(successfullAttempts>0,"successfullAttempts",failed>0,"failedAttempts")

let me know if this helps!

0 Karma

HattrickNZ
Motivator

helps thanks, But what if I did not know what the fieldname was e.g. successfullAttempts? I would not be able to hardcode it like that.

let me try explain it better
index=core.... LABEL=successfullAttempts | timechart sum(kpi) as X by LABEL
would give something like:

_time successfullAttempts
time1 val1
..
timeN valN

Now I want to do something like: eval Q = value(LABEL)
index=core.... LABEL=successfullAttempts | timechart sum(kpi) as X by LABEL | eval Q = value(LABEL)
but that won't work, because I can't use value() this wa way with eval.

But what I would hope to endup with something like:

_time successfullAttempts Q
time1 val1 successfullAttempts
..
timeN valN successfullAttempts

0 Karma

HattrickNZ
Motivator

basically
index=core.... LABEL=successfullAttempts | timechart sum(kpi) as X value(LABEL) as LABEL by LABEL |
will get me what I want. But then I want to do a timewrap after this but I just want to do it on the 1 column e.g. X. which is related to a question I have asked on this here

OR
after the timewrap, which I don't think can work on just 1 column I could do the following:
just append the column I want with the 1 value I want in the column.
... appendcols [ search
index=core ... | stats values(LABEL) as LABEL ] | eventstats max(LABEL) as LABEL

Was just hoping there was a better way than this.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...