Solved: Re: Using a column of field names to dynamically s...

dvanderlaan · ‎05-05-2017

Hi.

Suppose my search generates the first 4 columns from the following table:

field1  field2  field3  lookup  result
x1      y1      z1      field1  x1
x2      y2      z2      field3  z2
x3      y3      z3      field2  y3

I would like to create the result column using values from lookup to specify which fieldX to extract the result value from.

So if I have an expression like ...| eval result=lookup, what do I need to wrap around the lookup to achieve the the result column in the table above?

woodcock · ‎05-06-2017

Like this:

| makeresults 
| eval raw="x1 y1 z1 field1 x1::x2 y2 z2 field3 z2::x3 y3 z3 field2 y3" 
| makemv delim="::" raw 
| mvexpand raw 
| rex field=raw "(?<field1>\S+)\s+(?<field2>\S+)\s+(?<field3>\S+)\s+(?<lookup>\S+)\s+(?<expected_result>\S+)"
| fields - raw _time

| rename COMMENT AS "Everything above fakes sample data; everything below is your solution."

| eval result="N/A"
| foreach field* [eval result=if(lookup="<<FIELD>>", $<<FIELD>>$, result)]

View solution in original post

sbarr0 · ‎07-19-2019

Try this new AddOn: https://splunkbase.splunk.com/app/4597/

It does exactly what you are looking for. 🙂

| makeresults 
| eval Field1=1
| eval Field2=2
| eval Field3=3
| eval Field4=4
| eval pointer_field="Field4"
| pointerset newField pointer="pointer_field"

Field1  Field2  Field3  Field4  pointer_field   newField    
1           2       3       4       Field4          4

woodcock · ‎05-06-2017

Like this:

| makeresults 
| eval raw="x1 y1 z1 field1 x1::x2 y2 z2 field3 z2::x3 y3 z3 field2 y3" 
| makemv delim="::" raw 
| mvexpand raw 
| rex field=raw "(?<field1>\S+)\s+(?<field2>\S+)\s+(?<field3>\S+)\s+(?<lookup>\S+)\s+(?<expected_result>\S+)"
| fields - raw _time

| rename COMMENT AS "Everything above fakes sample data; everything below is your solution."

| eval result="N/A"
| foreach field* [eval result=if(lookup="<<FIELD>>", $<<FIELD>>$, result)]

DalJeanis · ‎05-05-2017

It seems over complicated, but this should accomplish the need...

 | rename lookup to mylookup
 | appendpipe 
    [| map search="| makeresults | eval field1=$field1$ | eval field2=$field2$ | eval field3=$field3$ | eval result=$lookup$ | table field1 field2 field3 mylookup result" 
    | dedup field1 field2 field3 mylookup 
    | outputcsv mytemp.csv 
    | where false()
     ]
 | join type=left field1 field2 field3 mylookup [| inputcsv mytemp.csv ]

dvanderlaan · ‎05-05-2017

Ideally I'm hoping for a solution which would scale well with large numbers of fieldX columns. Sorry, I could have been more clear in the question.

For example, ... | eval {lookup} = blargh uses values from one field to specify the name of another field. So I was hoping that something like ... | eval result = {lookup} might work, but doesn't.

Is there anything like this in SPL?

richgalloway · ‎05-05-2017

Assuming you already have field1, field2, field3, and lookup, you should be able to get result with case.

... | eval result = case(lookup="field1", field1, lookup="field2",field2, lookup="field3",field3, 1=1,"oops")

---
If this reply helps you, Karma would be appreciated.

dvanderlaan · ‎05-05-2017

Thanks a lot for your answer rich. It's certainly a solution to my question, but not quite what I was hoping for. I've added a comment to clarify what I'm looking for

Using a column of field names to dynamically select fields for use in eval expression

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases