×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
alesyo
Engager
Member since: ‎03-05-2025
‎03-06-2025
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎03-05-2025
Activity Feed
Topics I've Started
View All

Re: Extract value by dynamic fields

by in Splunk Search
‎03-05-2025 07:48 AM
‎03-05-2025 07:48 AM
Thanks for your answer, The events are part of an index, which aren't available as json. It is a shared notable index. My idea is to define in a lookup which fieldnames I will extract. For Example: | eval sum=case(id=1, "dest_ip:" .dest_ip ",src_ip:".src_ip, id=2, "user:".user + ",domain:".domain id=3, "country:".country, id=4, "company:".company + ",product:".product) | table id, sum   But the scalable is very worse, because the kind of condition is grow up to 1000. I think is not manageable in one use case. Thanks for your help Best regards Tino ... View more

Extract value by dynamic fields

by in Splunk Search
‎03-05-2025 06:36 AM
‎03-05-2025 06:36 AM
Hi Community, I have the following challenge. I have different events, and for each event, I want to generate a summary with different values. These values are defined in a lookup table. The following example: E1: id=1 , dest_ip=1.1.1.1, src_ip=2.2.2.2,..... E2: id=2, user=bob,  domain=microsoft E3: id=3 county=usa, city=seattle E4: id=4 company=cisco, product=splunk Lookup Table: (Potential more fieldnames) ID Field1  Field2 1 dest_ip src_ip 2 user domain 3 country   4 company product Expected Output: id1: Summary dest_ip=1.1.1.1 src_ip=2.2.2.2 Id2: Summary user=bob domain=microsoft id3: Summary country=usa Id4: Summary company=splunk, product =splunk The solution could be using a case function but it doesn't scale well becuse I woult need to add a new line for each case. Potentially, the number of cases could grow to 1000. I tried to solve with foreach, but I am unable to retrieve the values from the event. Here's the query I tried.       index=events | lookup cases.csv id OUTPUT field1, field2 | foreach field* [ eval summary = summary + "<<field>>" + ":" <<ITEM>> ] table id, summary       Thanks for your help! Alesyo ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-06-2025 06:51 AM
Karma given to
View All