1

I have two columns per event I am trying to use. Well call these col1 and UknownRandomColumnName (urcn for short) .

The key of urcn changes from event to event and is unknown prior to search time, but the value of col1 will always be the key of urcn.

How can I use the value of col1 as a key for the data id like to output from urcn in a search. Example data for my events may look like in a table:

==============================
|  col1   |  urcn1 |  urcn2  |
==============================
|  urcn1  | Value_1|         |
------------------------------
|  urcn2  |        |  Value_2|
------------------------------

Here is an example sample of the events:

{
type: "fwagods",
fwagods: {
    name:"someNameHere",
    age:23
    }
},
{
type: "zsaf",
zsaf: {
    name:"someName2",
    age:65
    }
},
{
type: "smorflafaum",
smorflafaum: {
    name:"SomeName3",
    age:41
    }
}

The query of the table inputs should produce:

Value_1
Value_2

The query of the event format inputs should produce:

name: someNameHere, age: 23
name: someName2, age: 65
name: SomeName3, age: 41
tilted
  • 296
  • 2
  • 17
  • What should be the output of your query? What is the desired result? – PM 77-1 Jun 29 '22 at 20:25
  • A table with the values of the `ucrn` columns – tilted Jun 29 '22 at 20:31
  • Please see if I got it right and {Edit] for clarification if neccessary. – PM 77-1 Jun 29 '22 at 20:34
  • Interesting task. I found *almost* the answer https://community.splunk.com/t5/Splunk-Search/Read-a-field-value-which-field-name-is-in-another-field/m-p/494681 but could not compensate for its limitations. – PM 77-1 Jun 30 '22 at 14:47
  • Are those unknown column names completely random or do they follow any pattern that separates them from other fields? – PM 77-1 Jun 30 '22 at 14:48
  • They are random to my knowledge there is not a pattern in their naming. Investigating your link now thank you very much pm. – tilted Jun 30 '22 at 15:01
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/246071/discussion-between-pm-77-1-and-tilted). – PM 77-1 Jun 30 '22 at 15:02

1 Answers1

0

Hey I was able to solve this issue. We know the property names of the child values inside of the object we do not know the key for. With this in mind we are able to use the rex method and extract the values from the _raw field.

| rex field=_raw "name\":\s?\"?(?<new_name>.*?)\"?(,|})" | table new_name

would output

someNameHere
someName2
SomeName3

Credit and thanks to @PM 77-1 for helping me talk through this.

tilted
  • 296
  • 2
  • 17