I have json data that looks like this:

{
    "deploy:success": 2,
    "deploy:RTX:success": 1,
    "deploy:BLX:success": 1,
    "deploy:RTX:BigTop:success": 1,
    "deploy:BLX:BigTop:success": 1,
    "deploy:RTX:BigTop:xxx:success": 1,
    "deploy:BLX:BigTop:yyy:success": 1,
}

Where each new :<field> tacked on makes it more specific. Say a key with the format "deploy:RTX:success" is for a specific site RTX. I was planning on using a filter to show only the site-specific counts.

eval column_name=if($site_token$ = "", "deploy:success", "deploy:$site_token$:success")

Then rename the derived column:

rename column_name deploy

But the rename is looking for actual values in that first argument and not just a column name. I can't figure out how to get the values associated from that column for the life of me.

index=cloud_aws namespace=my namespace=Stats protov3=* 
| spath input=protov3 
| eval column_name=if("$site_token$" = "", "deploy:success", "deploy:$site_token$:success") 
| rename column_name AS "deploy"

What have I done incorrectly?

CodePudding user response：

It's not clear what the final result is supposed to be. If the result when $site_token$ is empty should be "deploy:success" then just use "deploy" as the target of the eval.

index=cloud_aws namespace=my namespace=Stats protov3=* 
| spath input=protov3 
| eval deploy=if("$site_token$" = "", "deploy:success", "deploy:$site_token$:success")

OTOH, if the result when $site_token$ is empty should be "2" then use the existing query with single quotes in the eval. Single quotes tell Splunk to treat the enclosed text as a field name rather than a literal string (which is what double quotes do).

index=cloud_aws namespace=my namespace=Stats protov3=* 
| spath input=protov3 
| eval deploy=if("$site_token$" = "", 'deploy:success', 'deploy:$site_token$:success')