I'm trying to have Splunk build a list of field names where the values in the fields meet some criteria - note though that I want the field names not the values. The search might look something like:
... | eval updated = "" | foreach * [eval updated = if(<<FIELD>> >1, <fieldname> . " " .updated , updated)]
I get `` isn't going to work - logically though, that is what I'm trying to achieve. If there is a different/better way, I'm all ears.
/sigh
Helps to read the documentation closer. You simply need to wrap the <>
bit in double quotes. I thought I had seen this somewhere
... | eval updated = "" | foreach * [eval updated = if(<<FIELD>> >1, "<<FIELD>>". " " updated, updated)]
/sigh
Helps to read the documentation closer. You simply need to wrap the <>
bit in double quotes. I thought I had seen this somewhere
... | eval updated = "" | foreach * [eval updated = if(<<FIELD>> >1, "<<FIELD>>". " " updated, updated)]
@Runals thanks for giving the answer instead of leaving us hanging. I have facepalm regularly, I might as well put a sticker of a hand on my cheek 🙂
How can we get both fields and their respective values?