Refine your search:

Given two fields, how can i create a third field whose name is the first value and whose value is the second?

3

I have a dataset where the rows in my search results all have a 'value' field, and there's another field that specifies what exactly this is the value of.

So picture having 

name="color" value="red"

how could I get these rows to have

color="red"

And of course this is given that i have no idea what any of the names are going to be up front so I have to set it dynamically.

Since there's a lot going on in the regex already I am a bit reluctant to try and do it in the transforms.conf stanza itself. However I'm at a loss for what such a regex would like like so any help there is appreciated too. =)

I'm sure someone has run into this before and rather than hack my way through it I thought I'd ask what the best practice is.

asked 28 Sep '10, 17:59

nick's gravatar image

nick ♦
14.2k1318
accept rate: 46%

edited 07 Jun '11, 18:10

jlaw's gravatar image

jlaw ♦
20113
2 Answers:
oldestnewestmost voted
4

There are two ways that this can be done.

  1. Use eval. Any string in curly braces "{}" in the destination key will be resolved using the value of that named field. For example: ... | eval {name}=value | ...
  2. Use chart. If all you care about is the the columns implied by the value of "name", you can use the series creation feature of chart. For example: ... | chart first(value) by <rowid> name.
link

answered 28 Sep '10, 19:24

Stephen%20Sorkin's gravatar image

Stephen Sorkin ♦
8.1k47
accept rate: 52%

1

awesome. Both are good solutions. I tend to prefer the "chart first(value) over <rowid> by name" syntax cause its less confusing (which i only mention because i just got confused by yr answer =). Sorkin's the best.

(28 Sep '10, 20:03) nick ♦
4

If you still want to do it in transforms.conf, you would do:

REGEX = name="(?<_KEY_1>[^"])" value="(?<_VAL_1>[^"])"

i.e., Splunk will take pairs of named extractions and make KV pairs out of them. The above would be equivalent to:

REGEX = name="([^"])" value="([^"])"
FORMAT = $1::$2

Presumably your data looks something like:

{ name="color" value="red" }, { name="width" value="300" }, { name="height" value="150" }

which is fine, as the field extraction will get repeated by default.

The Splunk default extractions for WMI and Windows Event Logs in etc/system/default/transforms.conf use this general technique.

link

answered 29 Sep '10, 05:10

gkanapathy's gravatar image

gkanapathy ♦
26.5k1622
accept rate: 42%

edited 29 Sep '10, 05:16

1

Thanks Gerald. I'd forgotten about the FORMAT key and I've just been doing named extractions. I'll take another look and this may be the way to go. My events are considerably messier than that unfortunately but even so, the FORMAT may well clean things up.

(30 Sep '10, 19:27) nick ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×335
×166

Asked: 28 Sep '10, 17:59

Seen: 800 times

Last updated: 07 Jun '11, 18:10

Related questions

Create multivalued field in the search based on another field

Combine 2 fields to create a new field?

How can I extract two fields as a single field in my search result.

Create a field out of matched search strings

How to stop automatic field extraction from creating separate fields for each case variant on the same field name

Can I create a multivalue field in a search?

How to create a search-time field based on source port and facility

Way to insert/create field based on source?

create new field from substring of another field

Copyright © 2005-2012 Splunk, Inc. All rights reserved.