I'm trying to create a transaction from events in two sourcetypes. Sourcetype=A has a field called "number". Sourcetype=B has a field called "subscriberNumber".
I tried this search:
sourcetype=A OR sourcetype=B | rename number AS subscriberNumber | transaction subscriberNumber maxspan=2m
This search only returns results from the sourcetype=A. But if I do:
sourcetype=A OR sourcetype=B | eval phone=coalesce(number,subscriberNumber) | transaction phone maxspan=2m
it works.
Why doesn't rename work? That seems a much more simple way to do it.
Thx.
Craig
I think it's because rename takes the null values for the 'number' field from sourcetype B, and uses those null values to overwrite the non-null values in sourcetype B...
Whether or not that's the better behavior overall (and I think I agree it's not), you should use eval with coalesce or just an if statement or case statement.