How do you indirectly access a field value?

doton · ‎01-07-2019

In the following query, I want to use the value of b as a field:

| makeresults 
| eval a=1
| eval b="a"
| eval c=some_operation_based_on(b)

I want c to be equal to the value of a i.e. 1 in this example. I have tried using foreach and {field_name} but I wasn't able to achieve the result I want.

kamlesh_vaghela · ‎01-07-2019

@doton
Can you please try this?

| makeresults 
| eval a=1 
| eval b="a" 
| eval c="" 
| foreach * 
    [ eval c=if("<<FIELD>>"==b,<<FIELD>>,c)]

You can do any operations as per you requirement,

doton · ‎01-07-2019

@kamlesh_vaghela, Thanks it works, but I don't understand how it works. If I understand correctly, <<FIELD>> will be replaced by filed names as foreach loops through them. Thus when the field is b the the eval expression should be equal to eval c=if("b"==b,b,c) and b is equal to "a" so c should be equal to "a". In the next iteration of the loop it will became eval c=if("c"==b,c,c) so it shouldn't change the value of c.
Can you please elaborate?

kamlesh_vaghela · ‎01-07-2019

@doton

In foreach, it will only assign a value in field c if the field name match with the value of c (which is contain the name of field) else it will assign it self's value ( means c will assign value of c only). This will not override the matched values. So it is basic if else concept.

🙂

doton · ‎01-08-2019

Thanks, I was missing this point

if the field name match with the value

kamlesh_vaghela · ‎01-08-2019

@doton

Great..
Please upvote and accept the answer to close this question.

harishalipaka · ‎01-07-2019

@doton

can u try like this $result.b$

Thanks
Harish

How do you indirectly access a field value?

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!