Hi, i have 2 fields and they are float numbers, for example 2,7 and 0,6.
I need to create a field that is the sum of these 2 fields, but if i use
| eval toal=field_1+field_2
The result is a concatenate string.
I tried also convert num but 2 fields become 2 and 06 then the sum is 8.
Could you help me?
Thanks
Hi maurelio79,
looks like the ,
is the problem, because this will fail
index=_internal | head 1 | eval foo="2,6" | eval bar="3,5" | eval myResult=foo+bar | table myResult
but this will work
index=_internal | head 1 | eval foo="2.6" | eval bar="3.5" | eval myResult=foo+bar | table myResult
any way to replace the ,
with a dot .
maybe by using some regex in SED mode?
Based on the above run everywhere example you can do something like this:
index=_internal | head 1 | eval foo="2,6" | eval bar="3,5" | rex field=foo mode=sed "s/,/./g" | rex field=bar mode=sed "s/,/./g" | eval myResult=foo+bar | table myResult
If this fits your needs you can then set it up to be done automatically, just follow the docs example here.
Or if possible, change the event source to have the numbers logged like this 2.5
hope this helps ...
cheers, MuS
Hi maurelio79,
looks like the ,
is the problem, because this will fail
index=_internal | head 1 | eval foo="2,6" | eval bar="3,5" | eval myResult=foo+bar | table myResult
but this will work
index=_internal | head 1 | eval foo="2.6" | eval bar="3.5" | eval myResult=foo+bar | table myResult
any way to replace the ,
with a dot .
maybe by using some regex in SED mode?
Based on the above run everywhere example you can do something like this:
index=_internal | head 1 | eval foo="2,6" | eval bar="3,5" | rex field=foo mode=sed "s/,/./g" | rex field=bar mode=sed "s/,/./g" | eval myResult=foo+bar | table myResult
If this fits your needs you can then set it up to be done automatically, just follow the docs example here.
Or if possible, change the event source to have the numbers logged like this 2.5
hope this helps ...
cheers, MuS
see my update 😉
Good! Thanks! Values are genereted by a bash script, so i can replace "," with "." using sed. It will works. Thanks very much!