Solved: How do you treat a variable value as another field...

derekho55 · ‎01-10-2019

I have a field named "object_XXX_property", where XXX string is dynamically generated and is held in another field named "entity". I want to get at the object property field and have it on a table. I figured that I probably need an intermediate variable to handle the dynamically generated field name:

<code>base search | eval cn="objects_".entity."_property"|.. </code>

How can I get my cn variable to display the value of the object_property field with Splunk?

woodcock · ‎01-11-2019

Like this:

| makeresults 
| eval entity = "foo" 
| eval object_foo_property = "correct"
| eval object_bar_property = "wrong"
| eval object_bat_property = "wrong"

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval cn="NO_MATCH"
| foreach object_*_property [ eval cn=if((entity="<<MATCHSTR>>"), <<FIELD>>, cn) ]

Do note that this also "works" but apparently is not what you desire (because it is the inverse):

| makeresults 
| eval entity = "foo" 

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval object_{entity}_property = "bar"

View solution in original post

woodcock · ‎01-11-2019

Now that I "get it", this is a GREAT question.

woodcock · ‎01-11-2019

Like this:

| makeresults 
| eval entity = "foo" 
| eval object_foo_property = "correct"
| eval object_bar_property = "wrong"
| eval object_bat_property = "wrong"

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval cn="NO_MATCH"
| foreach object_*_property [ eval cn=if((entity="<<MATCHSTR>>"), <<FIELD>>, cn) ]

Do note that this also "works" but apparently is not what you desire (because it is the inverse):

| makeresults 
| eval entity = "foo" 

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval object_{entity}_property = "bar"

derekho55 · ‎01-11-2019

thank you very much. This was what I was looking for. Got my query with some minor modifications on this.

woodcock · ‎01-11-2019

It always looks so easy when you see the trick.

woodcock · ‎01-11-2019

It was a fun problem to solve.

renjith_nair · ‎01-10-2019

@derekho55 ,

base search | eval object_{entity}_property="your value"

This will create field names with object_abc_property,object_xyz_property etc where abc & xyz are your entity values

Happy Splunking!

derekho55 · ‎01-11-2019

Thanks for your response. I don't want to create a field named object_{entity}_property; it already exists as a field with a value in it that I want to extract.

I've been trying with

| eval cn = object_{entity}_property| table cn but it wont work.

Straight up base search |table object_{entity}_property didn't work either.

How do you treat a variable value as another field with Splunk?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor