- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is the eval command not working for Calculated...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is the eval command not working for Calculated Fields in Data Model?
I am designing a Data Model wherein I am specifying two or more sourcetypes in the constraints. The eval does not return values when i try to sum fields.
For example:
Constrain: index=some sourcetype=a OR sourcetype=b OR soucetype=c
Extracted: FieldA , FieldB
Calculated: FieldA+FieldB
The calculated field does not have values. The FieldA is in sourcetype-a and FieldB is in sourcetype-c
When I execute the search, eval does NOT work. But as a workaround if i add stats values(*) as * by _time it works.
Example search:
Index=some sourcetype=a OR sourcetype=b or sourcetype=c | stats values(*) as * by MARKET, _time | eval result=fielda+fieldb | timechart span=7d result
The eval is failing because the field is not present and hence no value. My question is how to mimic the above search in the DataModel or is there a better way? I want to use this as Root Event so that I can accelerate the data model.
Thank you in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is surely that fielda is coming from events in different than fieldb (e.g. only sourcetypea has events with non-null fielda and only sourcetypeb has events with non-null fieldb. The only way to resolve this is to create aggregate events by using transaction or stats values(*) AS *. The fields (obviously) must both be present in each event for the calculation to work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, so you need to be clear what you are trying to achieve.
In a single event you are only going to have a FieldA OR a FieldB. So, at the event level, your calculation needs to be something like
| eval result=coalesce(FieldA,0)+coalesce(FieldB,0)
The two individual fields will only be summable when there are multiple different events being summed, for example, when you are doing a stats or eventstats command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know why the eval is failing. It is because the fields are not present in both source types. My question was if there are any better way to address the work-around. Your suggestion on coalesce seems one option of workaround but it is NOT the clean way. I am looking at a better way to address this. Thank you for your suggestion.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure why you would consider that "not the clean way", but six months later, I would not be using a + at all. This is cleaner, in my current opinion:
Index=some sourcetype=a OR sourcetype=b or sourcetype=c
| eval result=coalesce(result,FieldA,FieldB)
| timechart span=7d sum(result) as result
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
