Splunk Search

how do I create a variable(or new field name) with its value another field name

HattrickNZ
Motivator

This is my sample search/data:

  | makeresults 
     | eval data = "
     1    2017-12-01 00:00:00    A    0    131033    84.1;
    2    2017-12-01 00:30:00    B    0    23627    95;
    3    2017-12-01 00:45:00    C    0    117185    99.6;
    " 
     | makemv delim=";" data 
     | mvexpand data
     | rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+-\d+ \d+:\d+:\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)"
     | fields + date serial type attempts successfullAttempts sr 
     | rename date as _time 
     | search serial=*
 | eval x = "successfullAttempts"

And this is what I want, just for illustration.

    _time   serial  type    attempts    successfullAttempts sr  x
1   2017-12-01 00:00:00 1   A   0   131033  84  successfullAttempts
2   2017-12-01 00:30:00 2   B   0   23627   95  successfullAttempts
3   2017-12-01 00:45:00 3   C   0   117185  99  successfullAttempts

But what I am trying to do is be able to get the field name e.g. successfullAttempts as the value of another field name e.g. x.

So, given some data, how do I create a variable(or new field name) with its value another field name?
Hope that explains it.
One option, that may or not help explain it, is to appendcols [search .... | stats values(fieldnameThatHasTheValueOfInterest) as x]

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Try this:

Use the value of one field as the name for a new field
In this example, use each value of the field counter to make a new field name. Assign to the new field the value of the Value field. See Field names under the Usage section.

index=perfmon sourcetype=Perfmon* counter=* Value=* | eval {counter} = Value

Link to the documentation on this topic.

carbdb
Explorer

thanks, saved me loads of redundant coding!

i.e. elegant new solution setting dashboard tokens:

| sort 0 area -error_rate | dedup area
| eval x=area+"_service_id" | eval {x} = service_id | fields - x service_id
| eval x=area+"_service" | eval {x} = service | fields - x service
| eval x=area+"_value" | eval {x} = error_rate | fields - x error_rate
| eval x=area+"_color" | eval {x} = color | fields - x color
| fields - area _time
| stats values(*) as *
0 Karma

HattrickNZ
Motivator

tks, I don't see any new fields in my Interesting fields list.
also that link is to this page.

0 Karma

mayurr98
Super Champion

I guess you want something like this

| makeresults 
| eval data = "
      1    2017-12-01 00:00:00    A    0    131033    84.1;
     2    2017-12-01 00:30:00    B    0    23627    95;
     3    2017-12-01 00:45:00    C    0    117185    99.6;
     " 
| makemv delim=";" data 
| mvexpand data 
| rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+-\d+ \d+:\d+:\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)" 
| fields + date serial type attempts successfullAttempts sr 
| rename date as _time 
| search serial=* 
| append 
    [| makeresults 
    | eval failed="1"] 
| eval x =case(successfullAttempts>0,"successfullAttempts",failed>0,"failedAttempts")

let me know if this helps!

0 Karma

HattrickNZ
Motivator

helps thanks, But what if I did not know what the fieldname was e.g. successfullAttempts? I would not be able to hardcode it like that.

let me try explain it better
index=core.... LABEL=successfullAttempts | timechart sum(kpi) as X by LABEL
would give something like:

_time successfullAttempts
time1 val1
..
timeN valN

Now I want to do something like: eval Q = value(LABEL)
index=core.... LABEL=successfullAttempts | timechart sum(kpi) as X by LABEL | eval Q = value(LABEL)
but that won't work, because I can't use value() this wa way with eval.

But what I would hope to endup with something like:

_time successfullAttempts Q
time1 val1 successfullAttempts
..
timeN valN successfullAttempts

0 Karma

HattrickNZ
Motivator

basically
index=core.... LABEL=successfullAttempts | timechart sum(kpi) as X value(LABEL) as LABEL by LABEL |
will get me what I want. But then I want to do a timewrap after this but I just want to do it on the 1 column e.g. X. which is related to a question I have asked on this here

OR
after the timewrap, which I don't think can work on just 1 column I could do the following:
just append the column I want with the 1 value I want in the column.
... appendcols [ search
index=core ... | stats values(LABEL) as LABEL ] | eventstats max(LABEL) as LABEL

Was just hoping there was a better way than this.

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...