Splunk Search

How can I use a field value as a field name and make that a drop-down value?

rahul_jasrotia
Path Finder

Hi,

I have a requirement where I want to make a common error dashboard for a set of apps with a textbox. There is an Errorid field which has different values for different applications i.e Errorid can be ID for 1 application and racfid for another. So I have made a lookup where, for an Appid, I find out the corresponding Errorid.

Now if I write the following search:

index=_internal |lookup lookup_name Appid OUTPUT Errorid

This gives me the correct Errorid Fieldname (like ID) as the field value in the field Errorid (i hope I'm clear on this)

Now I want to somehow make this field value as the fieldname to search further like below:-

index=_internal |lookup lookup_name Appid OUTPUT Errorid|Errorid.value(like ID)=$textboxvalue$|and so on

Am i doing anything wrong? please advise

0 Karma

stephanefotso
Motivator

Here is an example

<form>
  <label>Text Form Input Element</label>
  <description>Top N Sourcetypes using Text Form Input</description>
  <fieldset autoRun="true" submitButton="false">
    <input type="text" token="ID" searchWhenChanged="true">
      <label>entern the label you need</label>
      <default>5</default>
    </input>
  </fieldset>
  <row>
    <table>
      <title>Your title goes here</title>
      <searchString>index=_internal |lookup lookup_name Appid OUTPUT Errorid | search ID=$ID$  </searchString>
      <earliestTime>-24h@h</earliestTime>
      <latestTime>now</latestTime>
      <option name="rowNumbers">true</option>
    </table>
  </row>
</form>
SGF
0 Karma

srussell_splunk
Splunk Employee
Splunk Employee

Based on what you've written, field aliasing might be a good solution for you: http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/Addaliasestofields

It allows you to -- in your example -- alias "ID" field to "Errorid" field such that the two searches are identical:

Errorid="Blah"  | 

Is the same as:

 ID="Blah" | 
0 Karma

rahul_jasrotia
Path Finder

thanks for the reply,
yeah field alias is an option I tried but that would mean that I need to create some 10-15 aliases. I hope I found something to be able to do it from the search itself.

0 Karma

stephanefotso
Motivator

When you say, Errorid.value(like ID)=$textboxvalue$, please Which values your text box is suppose to take in that case? And, is ID is a field in your events?

SGF
0 Karma

rahul_jasrotia
Path Finder

Hi thanks for the reply,

textbox value will be given by the user, the problem is on the left hand side "Errorid.value(ID)"
Yes ID is a field in my events but this is just 1 case, for a different scenario this ID might be by some other name.

So i want to take the value inside the field errorid and use it as field further in the search string.

0 Karma

stephanefotso
Motivator

Means if Errorid has 5 values, you will have 5 textbox?

SGF
0 Karma

rahul_jasrotia
Path Finder

nopes the textbox will always have one value, its just that the value will be used as a fieldname further in the search.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...