Take value from one field and return the value in ...

willial · ‎03-30-2015

Sorry for the title. Here's what I'm trying to do:

I have three fields: monthSearch1, monthSearch2, and monthSearch3. These represent a year/month combination. So 201501 = year 2015, month 01.

These have values of, for example: monthSearch1=201501 monthSearch2=201502 monthSearch3=201503

I also have three fields called 201501, 201502, 201503. These have numbers in them like 6 or 8 or 12.

I have even more fields: 201504, 201505, etc. These are all coming from a lookup table. I have things set up so that the monthSearch1,2,3 fields are set by user choices, so I only get the three year/month combos that I want for any user selection.

Basically, I want to use the monthSearch1 field (201501) to find and return the value that's in the 201501 field (and so on), so that I only add up the correct 3 months.

vganjare · ‎04-28-2015

Hi,

You can try using custom search command. http://docs.splunk.com/Documentation/Splunk/6.2.2/AdvancedDev/Searchscripts

You can copy over the field values in desired field by using string token.

Thanks!!

vganjare · ‎03-31-2015

Can you please share the detailed example along with data samples?

Thanks!!

willial · ‎03-31-2015

Here are my statements, starting from the relevant portion:

| eval yr="$form.yr$" | eval quarter="$form.quarter$" | eval yr=if("$form.quarter$"="Q1" OR "$form.quarter$"="Q2",yr-1,yr) | eval monthSearch=if("$form.quarter$"="Q1",'yr'+"07 "+'yr'+"08 "+'yr'+"09 ",monthSearch) | eval monthSearch=if("$form.quarter$"="Q2",'yr'+"10 "+'yr'+"11 "+'yr'+"12 ",monthSearch) | eval monthSearch=if("$form.quarter$"="Q3",'yr'+"01 "+'yr'+"02 "+'yr'+"03 ",monthSearch) | eval monthSearch=if("$form.quarter$"="Q4",'yr'+"04 "+'yr'+"05 "+'yr'+"06 ",monthSearch) | makemv monthSearch | eval monthSearch1=mvindex(monthSearch,0) | eval monthSearch2=mvindex(monthSearch,1) | eval monthSearch3=mvindex(monthSearch,2) | lookup closures "fullName" AS "fullName"

The following is what doesn't work:

| eval month1='monthSearch1' | eval month2='monthSearch2' | eval month3='monthSearch3' |** fillnull value=0 month1 month2 month3

Assume $form.quarter$=Q1 and $form.yr$=2015

The lookup "closures" contains the following info:

fullname,201507,201508,201509,201510,201511,201512
Adam Anderson,12,10,15,,37,11
Bob Briggs,,,4,21,,15
Cam Carson,10,25,31,22,16,1

I want an intermediate table that looks like:

fullName,monthSearch1,monthSearch2,monthSearch3,201507,201508,201509,month1,month2,month3
Adam Anderson,201507,201508,201509,12,10,15,12,10,15

vganjare · ‎04-27-2015

Hi,

Do you want to copy the values from monthSearch1 field to month1 field?

willial · ‎04-27-2015

More convoluted. I want to copy the value from the field whose name is specified in monthSearch1 (field 201507 in the example, yielding 12) to month1.

vganjare · ‎04-27-2015

Can you try using custom search commands? With a small python script, you can achieve this functionality very easily. More details about custom search commands @ http://docs.splunk.com/Documentation/Splunk/6.2.2/AdvancedDev/Searchscripts

vganjare · ‎04-27-2015

Also, can you try solution mentioned @ http://answers.splunk.com/answers/103700/how-do-i-create-a-field-whose-name-is-the-value-of-another-...

willial · ‎04-28-2015

The solution there is for creating a new field. I'm trying to reference an existing field.

Take value from one field and return the value in a second field with the same name as that value

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!