Hi.
I am trying to search across multiple indexes. The field I am looking for is Value (and has only numbers). This value must not contain any decimals, and in case the sourcetype is sourcetype1, then the value must be recalculated as (Value-100)*-1
.
My search:
index=* sourcetype="sourcetype1" OR source=source2 | eval Value=if(sourcetype="sourcetype1", Value=round(((Value-100)*-1), 0), Value=round(Value, 0))
The result I get is either True or False for the Value field. What am I doing wrong?
Thank you in advance.
Your if
command is returning comparisons instead of values. Try
index= sourcetype="sourcetype1" OR source=source2 | eval Value=if(sourcetype="sourcetype1", round(((Value-100)-1), 0), round(Value, 0))
Your if
command is returning comparisons instead of values. Try
index= sourcetype="sourcetype1" OR source=source2 | eval Value=if(sourcetype="sourcetype1", round(((Value-100)-1), 0), round(Value, 0))
I've just deleted my answer as @richgalloway already provided you with a valid one