I have a field named "object_XXX_property", where XXX string is dynamically generated and is held in another field named "entity". I want to get at the object property field and have it on a table. I figured that I probably need an intermediate variable to handle the dynamically generated field name:
<code>base search | eval cn="objects_".entity."_property"|.. </code>
How can I get my cn variable to display the value of the object_property field with Splunk?
Like this:
| makeresults
| eval entity = "foo"
| eval object_foo_property = "correct"
| eval object_bar_property = "wrong"
| eval object_bat_property = "wrong"
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| eval cn="NO_MATCH"
| foreach object_*_property [ eval cn=if((entity="<<MATCHSTR>>"), <<FIELD>>, cn) ]
Do note that this also "works" but apparently is not what you desire (because it is the inverse):
| makeresults
| eval entity = "foo"
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| eval object_{entity}_property = "bar"
Now that I "get it", this is a GREAT question.
Like this:
| makeresults
| eval entity = "foo"
| eval object_foo_property = "correct"
| eval object_bar_property = "wrong"
| eval object_bat_property = "wrong"
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| eval cn="NO_MATCH"
| foreach object_*_property [ eval cn=if((entity="<<MATCHSTR>>"), <<FIELD>>, cn) ]
Do note that this also "works" but apparently is not what you desire (because it is the inverse):
| makeresults
| eval entity = "foo"
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| eval object_{entity}_property = "bar"
thank you very much. This was what I was looking for. Got my query with some minor modifications on this.
It always looks so easy when you see the trick.
It was a fun problem to solve.
base search | eval object_{entity}_property="your value"
This will create field names with object_abc_property,object_xyz_property etc where abc & xyz are your entity values
Thanks for your response. I don't want to create a field named object_{entity}_property; it already exists as a field with a value in it that I want to extract.
I've been trying with
| eval cn = object_{entity}_property| table cn
but it wont work.
Straight up base search |table object_{entity}_property
didn't work either.