Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to read a field value which field name is in another field?

mseijos
Engager
‎11-28-2019 07:42 AM

We have this table:

alt text

And we want to have a field (for example, named "value") that gets the value of the field which name is in the "name" field.
In the first row it would be value=3d, in the second row value would be value=1

Its similar to what
| eval {name} = "whatever"

would do, but reading instead of writing.
(something like | eval value = {name} but that doesn't work).

Labels (2)
Labels
Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-29-2020 06:09 PM

 

| eval fieldnames="fieldnames"
| eval fieldvalues="dummy"
| foreach * [| eval fieldnames=if(match("<<FIELD>>","fieldnames|fieldvalues"),fieldnames,mvappend(fieldnames,"<<FIELD>>")) | eval fieldvalues=if(match("<<FIELD>>","fieldnames|fieldvalues"),fieldvalues,mvappend(fieldvalues,<<FIELD>>))]
| eval value=mvindex(fieldvalues,mvfind(fieldnames,name))
| fields - fieldnames fieldvalues

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

HappySplunker
Explorer
‎12-22-2021 06:52 AM

Hi @mseijos, I stumbled accross the same problem and think I got a solution, based on previous contribs:

 

| makeresults count=10 
| fields - _time 
| streamstats count 
| eval dummyName1="dummyVal1",dummyName2="dummyVal2", name="count", dummyName3="dummyVal3",dummyName4="dummyVal4" 
| foreach * 
    [| eval fieldnames=mvappend(fieldnames,"<<FIELD>>")
    | eval fieldvalues=mvappend(fieldvalues,<<FIELD>>)
    | eval value=mvindex(fieldvalues,mvfind(fieldnames,name)) 
    ]
| fields - dummy* fieldnames fieldvalues 
| table count name value

 

 

I added dummy values to test the code, as simpler solutions weren't working with a lot of fields per log (because foreach parses all values)

I know it's surely too late for you, but maybe some others will find this interesting.

 

Reply
Solved! Jump to solution

pm771
Communicator
‎06-30-2022 02:28 PM

@HappySplunker 

Your solution simplifies OP's requirements. You made an assumption that 

name="count"

for every event.

This is not the case. 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

HappySplunker
Explorer
‎09-23-2022 01:09 AM

Here's an updated version to be as close as possible to OP's requirements:

 

| makeresults count=4 
| streamstats count 
| eval age = case(count=1, 12, count=2, 25, count=3, 65, count=4, 21) 
| eval city = case(count=1, "Paris", count=2, "Berlin",count=3, "Tokyo", count=4, "Madrid") 
| eval name = case(count=1, "age", count=2, null(),count=3, "city", count=4, null()) 
| fields - _time count 
| foreach * 
    [| eval fieldnames=mvappend(fieldnames,"<<FIELD>>") 
    | eval fieldvalues=mvappend(fieldvalues,<<FIELD>>) 
    | eval value=mvindex(fieldvalues,mvfind(fieldnames,name)) 
        ] 
| fields -  fieldnames fieldvalues

 

 

HappySplunker_0-1663920657439.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-29-2020 06:09 PM

 

| eval fieldnames="fieldnames"
| eval fieldvalues="dummy"
| foreach * [| eval fieldnames=if(match("<<FIELD>>","fieldnames|fieldvalues"),fieldnames,mvappend(fieldnames,"<<FIELD>>")) | eval fieldvalues=if(match("<<FIELD>>","fieldnames|fieldvalues"),fieldvalues,mvappend(fieldvalues,<<FIELD>>))]
| eval value=mvindex(fieldvalues,mvfind(fieldnames,name))
| fields - fieldnames fieldvalues

 

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎10-17-2023 12:12 AM

@mseijos - Marking this answer as accepted as it seems working. And it has been answered correctly first. Let me know if this doesn't work for you.

 

Splunk Community Moderator,

Vatsal Jagani

0 Karma
Reply
Solved! Jump to solution

kulick
Path Finder
‎09-29-2020 01:01 PM

I needed something like this also.

How about this inefficient solution?  It seems to work as long as you get the right fields into the `foreach` part...

| makeresults count=10 | streamstats count
| eval a="1", b="2", name="count"
| foreach * [ eval value=mvindex(mvappend(case(name="<<FIELD>>",'<<FIELD>>'),value),0) ]
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-28-2019 07:27 PM

Like this:

... | foreach name [ eval value="<<FIELD>>" ]
0 Karma
Reply
Solved! Jump to solution

mseijos
Engager
‎11-29-2019 12:09 AM

I tried your solution with this code:

| makeresults
| eval a="1"
| eval b="2"
| eval name="a"
| foreach name [ eval value="<<FIELD>>" ]

But "value" field gets the literal "name" as value. If I remove the quotes in <<FIELD>>, I get the literal "a" in "value" field.
The expected "value" field would be "1"

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...