This is my sample search/data:
| makeresults
| eval data = "
1 2017-12-01 00:00:00 A 0 131033 84.1;
2 2017-12-01 00:30:00 B 0 23627 95;
3 2017-12-01 00:45:00 C 0 117185 99.6;
"
| makemv delim=";" data
| mvexpand data
| rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+-\d+ \d+:\d+:\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)"
| fields + date serial type attempts successfullAttempts sr
| rename date as _time
| search serial=*
| eval x = "successfullAttempts"
And this is what I want, just for illustration.
_time serial type attempts successfullAttempts sr x
1 2017-12-01 00:00:00 1 A 0 131033 84 successfullAttempts
2 2017-12-01 00:30:00 2 B 0 23627 95 successfullAttempts
3 2017-12-01 00:45:00 3 C 0 117185 99 successfullAttempts
But what I am trying to do is be able to get the field name e.g. successfullAttempts as the value of another field name e.g. x.
So, given some data, how do I create a variable(or new field name) with its value another field name?
Hope that explains it.
One option, that may or not help explain it, is to appendcols [search .... | stats values(fieldnameThatHasTheValueOfInterest) as x]
Try this:
Use the value of one field as the name for a new field
In this example, use each value of the field counter to make a new field name. Assign to the new field the value of the Value field. See Field names under the Usage section.
index=perfmon sourcetype=Perfmon* counter=* Value=* | eval {counter} = Value
thanks, saved me loads of redundant coding!
i.e. elegant new solution setting dashboard tokens:
| sort 0 area -error_rate | dedup area
| eval x=area+"_service_id" | eval {x} = service_id | fields - x service_id
| eval x=area+"_service" | eval {x} = service | fields - x service
| eval x=area+"_value" | eval {x} = error_rate | fields - x error_rate
| eval x=area+"_color" | eval {x} = color | fields - x color
| fields - area _time
| stats values(*) as *
tks, I don't see any new fields in my Interesting fields
list.
also that link is to this page.
I guess you want something like this
| makeresults
| eval data = "
1 2017-12-01 00:00:00 A 0 131033 84.1;
2 2017-12-01 00:30:00 B 0 23627 95;
3 2017-12-01 00:45:00 C 0 117185 99.6;
"
| makemv delim=";" data
| mvexpand data
| rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+-\d+ \d+:\d+:\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)"
| fields + date serial type attempts successfullAttempts sr
| rename date as _time
| search serial=*
| append
[| makeresults
| eval failed="1"]
| eval x =case(successfullAttempts>0,"successfullAttempts",failed>0,"failedAttempts")
let me know if this helps!
helps thanks, But what if I did not know what the fieldname was e.g. successfullAttempts? I would not be able to hardcode it like that.
let me try explain it better
index=core.... LABEL=successfullAttempts | timechart sum(kpi) as X by LABEL
would give something like:
_time successfullAttempts
time1 val1
..
timeN valN
Now I want to do something like: eval Q = value(LABEL)
index=core.... LABEL=successfullAttempts | timechart sum(kpi) as X by LABEL | eval Q = value(LABEL)
but that won't work, because I can't use value()
this wa way with eval.
But what I would hope to endup with something like:
_time successfullAttempts Q
time1 val1 successfullAttempts
..
timeN valN successfullAttempts
basically
index=core.... LABEL=successfullAttempts | timechart sum(kpi) as X value(LABEL) as LABEL by LABEL |
will get me what I want. But then I want to do a timewrap
after this but I just want to do it on the 1 column e.g. X. which is related to a question I have asked on this here
OR
after the timewrap, which I don't think can work on just 1 column I could do the following:
just append the column I want with the 1 value I want in the column.
... appendcols [ search
index=core ... | stats values(LABEL) as LABEL ] | eventstats max(LABEL) as LABEL
Was just hoping there was a better way than this.