I have json data that looks like this:
{
"deploy:success": 2,
"deploy:RTX:success": 1,
"deploy:BLX:success": 1,
"deploy:RTX:BigTop:success": 1,
"deploy:BLX:BigTop:success": 1,
"deploy:RTX:BigTop:xxx:success": 1,
"deploy:BLX:BigTop:yyy:success": 1,
}
Where each new :<field>
tacked on makes it more specific. Say a key with the format "deploy:RTX:success
" is for a specific site RTX. I was planning on using a filter to show only the site-specific counts.
eval column_name=if($site_token$ = "", "deploy:success", "deploy:$site_token$:success")
Then rename the derived column:
rename column_name deploy
But the rename is looking for actual values in that first argument and not just a column name. I can't figure out how to get the values associated from that column for the life of me.
index=cloud_aws namespace=my namespace=Stats protov3=*
| spath input=protov3
| eval column_name=if("$site_token$" = "", "deploy:success", "deploy:$site_token$:success")
| rename column_name AS "deploy"
What have I done incorrectly?
CodePudding user response:
It's not clear what the final result is supposed to be. If the result when $site_token$ is empty should be "deploy:success" then just use "deploy" as the target of the eval
.
index=cloud_aws namespace=my namespace=Stats protov3=*
| spath input=protov3
| eval deploy=if("$site_token$" = "", "deploy:success", "deploy:$site_token$:success")
OTOH, if the result when $site_token$ is empty should be "2" then use the existing query with single quotes in the eval
. Single quotes tell Splunk to treat the enclosed text as a field name rather than a literal string (which is what double quotes do).
index=cloud_aws namespace=my namespace=Stats protov3=*
| spath input=protov3
| eval deploy=if("$site_token$" = "", 'deploy:success', 'deploy:$site_token$:success')