Dynamic Field names?

Follow
Avatar
Nicholas Sandmann

I have a log that looks like this:

    cs1Label="Field Name" cs1="some value" cs2Label="Another Field" cs2="another value"

 

Is there a way to dynamically parse out the cs# values and give them a field name of the cs#Label value?

Something similar to this(but that works):

    | parse "cs1=\"*\"" as (parse "cs1Label=\"*\"")

 

The KeyValue formatted log functionality doesn't seem to apply here.

0

Comments

4 comments

Sort by Date Votes
  • Avatar
    Don Gothing
    • Edited

    Hey Nicholas,

     

    We don't seem to have a good way to dynamically assign the value of one pair to be the key of another. Will cs1 and cs2 be have the same labels in all of the logs or do they change?

    0
    Comment actions Permalink
  • Avatar
    Nicholas Sandmann
    • Edited

    There appear to be only 2 variations in the log cn and cs, all are tied together with the same numeric value.  So 2 variations assuming the software vendor doesn't add any new ones in a future release.

    • cs# and cs#Label
    • cn# and cn#Label 

    Total counts also appear to be fixed at this time as well. cs1 - cs5, and only cn1 and cn2, though based on the naming strategy I'm guessing that was done to facilitate the easy addition of new fields as needed in the future.

    0
    Comment actions Permalink
  • Avatar
    Nicholas Sandmann

    also, just realized you were asking if the fields are likely to change.  The answer being that they appear to be fixed(eg: cs2 always = foo and cs1 always = bar), but the way they went about assigning them like this makes me nervous about whether that will always be the case, which is why I was asking whether there's a better solution than statically assigning the field names in my query based on the assumption the fields won't change, and it sounds like the answer is that is my only option today?

    0
    Comment actions Permalink
  • Avatar
    Don Gothing

    if the fields are currently fixed you could statically assign them.

    eg: if cs1label='foo' cs1='bar' cs2Label='baz' cs2='spam' then

    | keyvalue auto keys "cs1", "cs2" as foo, baz

    You could put if statements in field extraction rules so that if the fields change the data won't be incorrectly assigned.

    | "cs1Label=\"Field Name\" cs1=\"some value\" cs2Label=\"Another Field\" cs2=\"another value\"" as test
    | keyvalue auto field = test keys "cs1Label", "cs1", "cs2Label", "cs2" as cs1Label, cs1, cs2Label, cs2
    | if (cs1Label matches "Field Name", cs1, "something else") as fieldName
    | if (cs2Label matches "Another Field", cs2, "") as anotherField

     

    If there are only a few possible combinations you could use nested if statements, but that would get unwieldy pretty quickly as complexity increases.

    | if (cs1Label matches "Field Name", cs1, 
      if (cs2Label matches "Field Name", cs2, "")) as fieldname

    Unfortunately there isn't a good way to parse the whole log and assign one piece of it to be the key while the other is the value. I'll keep an eye out to see if anything changes and update this thread if I find anything.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post