Re: Take value from one field and return the value...

willial · ‎03-30-2015

Sorry for the title. Here's what I'm trying to do:

I have three fields: monthSearch1, monthSearch2, and monthSearch3. These represent a year/month combination. So 201501 = year 2015, month 01.

These have values of, for example: monthSearch1=201501 monthSearch2=201502 monthSearch3=201503

I also have three fields called 201501, 201502, 201503. These have numbers in them like 6 or 8 or 12.

I have even more fields: 201504, 201505, etc. These are all coming from a lookup table. I have things set up so that the monthSearch1,2,3 fields are set by user choices, so I only get the three year/month combos that I want for any user selection.

Basically, I want to use the monthSearch1 field (201501) to find and return the value that's in the 201501 field (and so on), so that I only add up the correct 3 months.

vganjare · ‎04-28-2015

Hi,

You can try using custom search command. http://docs.splunk.com/Documentation/Splunk/6.2.2/AdvancedDev/Searchscripts

You can copy over the field values in desired field by using string token.

Thanks!!

vganjare · ‎03-31-2015

Can you please share the detailed example along with data samples?

Thanks!!

willial · ‎03-31-2015

Here are my statements, starting from the relevant portion:

| eval yr="$form.yr$" | eval quarter="$form.quarter$" | eval yr=if("$form.quarter$"="Q1" OR "$form.quarter$"="Q2",yr-1,yr) | eval monthSearch=if("$form.quarter$"="Q1",'yr'+"07 "+'yr'+"08 "+'yr'+"09 ",monthSearch) | eval monthSearch=if("$form.quarter$"="Q2",'yr'+"10 "+'yr'+"11 "+'yr'+"12 ",monthSearch) | eval monthSearch=if("$form.quarter$"="Q3",'yr'+"01 "+'yr'+"02 "+'yr'+"03 ",monthSearch) | eval monthSearch=if("$form.quarter$"="Q4",'yr'+"04 "+'yr'+"05 "+'yr'+"06 ",monthSearch) | makemv monthSearch | eval monthSearch1=mvindex(monthSearch,0) | eval monthSearch2=mvindex(monthSearch,1) | eval monthSearch3=mvindex(monthSearch,2) | lookup closures "fullName" AS "fullName"

The following is what doesn't work:

| eval month1='monthSearch1' | eval month2='monthSearch2' | eval month3='monthSearch3' |** fillnull value=0 month1 month2 month3

Assume $form.quarter$=Q1 and $form.yr$=2015

The lookup "closures" contains the following info:

fullname,201507,201508,201509,201510,201511,201512
Adam Anderson,12,10,15,,37,11
Bob Briggs,,,4,21,,15
Cam Carson,10,25,31,22,16,1

I want an intermediate table that looks like:

fullName,monthSearch1,monthSearch2,monthSearch3,201507,201508,201509,month1,month2,month3
Adam Anderson,201507,201508,201509,12,10,15,12,10,15

vganjare · ‎04-27-2015

Hi,

Do you want to copy the values from monthSearch1 field to month1 field?

willial · ‎04-27-2015

More convoluted. I want to copy the value from the field whose name is specified in monthSearch1 (field 201507 in the example, yielding 12) to month1.

vganjare · ‎04-27-2015

Can you try using custom search commands? With a small python script, you can achieve this functionality very easily. More details about custom search commands @ http://docs.splunk.com/Documentation/Splunk/6.2.2/AdvancedDev/Searchscripts

vganjare · ‎04-27-2015

Also, can you try solution mentioned @ http://answers.splunk.com/answers/103700/how-do-i-create-a-field-whose-name-is-the-value-of-another-...

willial · ‎04-28-2015

The solution there is for creating a new field. I'm trying to reference an existing field.

Take value from one field and return the value in a second field with the same name as that value

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk