For wildcards to reference existing field names in an eval, how do you reference those field names?
quick question (I think) - if you need wildcards to reference existing field names in an eval, how do you reference those field names in your eval? e.g. do an eval operation against fieldA, fieldB, and fieldC using a single operation? could be any fieldX
Answers
-
sounds like you are trying to extract all key value pairs in a field? Perhaps entire event _raw? If so, consider a parser function and specify the relevant type (kv, regex, etc). Another option is a regex extract function. See the tooltip screenshot when using this method for the format to follow and enable 'global'
0 -
I understood they'd want to run a certain EVAL function on multiple fields (that match a wildcard pattern). As far as I know EVAL doesn't support that. I guess the Splunk equivalent would be the `| foreach` function. You might be able to build something yourself with the Code function though...
0 -
Code would be the alternative for sure. Depending on what the beginning and ending needs to look like, might be achievable through a combination of other functions (parser, regex extract, rename.) Rename supports bulk field name renaming
0
