My apologies if there is an obvious answer to this question, but I have been searching Splunk answers and the documentation without success. I am interested in passing a field's name as a value to manipulate with eval in later steps. For example: FIELD1=value1 lastname=smith I want the ability to potentially create a new string field via eval with containing both the field name and value of FIELD1. For example: NEWFIELD="FIELD1 - value1" details="lastname - smith" However, I cannot find a way to print the field name of FIELD1 in an eval. I appreciate any help! Thanks. ... View more

I am looking for an elegant solution to the following problem: I want to summarize data from two different events which have the same sourcetype/index/etc, but which have identical values in two different fields. Event A: sourcetype= foo ComputerName=homepc FileName=example.exe PID=3333 PPID=2222 Event B: sourcetype=foo ComputerName=homepc FileName=parent.exe PID=2222 PPID=1111 I want to group data from both events into one summarized line like follows: ComputerName......FileName...........PID.........ParentFileName.......PPID homepc...................example.exe......3333.......parent.exe................2222 I have attempted to accomplish this via JOIN and it does seem to work, but I am aware this is not an ideal solution: index=_internal sourcetype=foo | table ComputerName FileName PID PPID | rename FileName as Child_FileName, PID as Child_PID, PPID as Parent_PID | join Parent_PID ComputerName [ search index=_internal sourcetype=foo | table ComputerName FileName PID | rename FileName as Parent_FileName, PID as Parent_PID ] If the sourcetypes in the two searches were different, I know I could easily accomplish this via a string of 'eval's and stats. Thanks for any suggestions! ... View more