Dynamic Field names?
I have a log that looks like this:
cs1Label="Field Name" cs1="some value" cs2Label="Another Field" cs2="another value"
Is there a way to dynamically parse out the cs# values and give them a field name of the cs#Label value?
Something similar to this(but that works):
| parse "cs1=\"*\"" as (parse "cs1Label=\"*\"")
The KeyValue formatted log functionality doesn't seem to apply here.
There appear to be only 2 variations in the log cn and cs, all are tied together with the same numeric value. So 2 variations assuming the software vendor doesn't add any new ones in a future release.
- cs# and cs#Label
- cn# and cn#Label
Total counts also appear to be fixed at this time as well. cs1 - cs5, and only cn1 and cn2, though based on the naming strategy I'm guessing that was done to facilitate the easy addition of new fields as needed in the future.
also, just realized you were asking if the fields are likely to change. The answer being that they appear to be fixed(eg: cs2 always = foo and cs1 always = bar), but the way they went about assigning them like this makes me nervous about whether that will always be the case, which is why I was asking whether there's a better solution than statically assigning the field names in my query based on the assumption the fields won't change, and it sounds like the answer is that is my only option today?
if the fields are currently fixed you could statically assign them.
eg: if cs1label='foo' cs1='bar' cs2Label='baz' cs2='spam' then
| keyvalue auto keys "cs1", "cs2" as foo, baz
You could put if statements in field extraction rules so that if the fields change the data won't be incorrectly assigned.
| "cs1Label=\"Field Name\" cs1=\"some value\" cs2Label=\"Another Field\" cs2=\"another value\"" as test
| keyvalue auto field = test keys "cs1Label", "cs1", "cs2Label", "cs2" as cs1Label, cs1, cs2Label, cs2
| if (cs1Label matches "Field Name", cs1, "something else") as fieldName
| if (cs2Label matches "Another Field", cs2, "") as anotherField
If there are only a few possible combinations you could use nested if statements, but that would get unwieldy pretty quickly as complexity increases.
| if (cs1Label matches "Field Name", cs1,
if (cs2Label matches "Field Name", cs2, "")) as fieldname
Unfortunately there isn't a good way to parse the whole log and assign one piece of it to be the key while the other is the value. I'll keep an eye out to see if anything changes and update this thread if I find anything.
Please sign in to leave a comment.