I am designing a Data Model wherein I am specifying two or more sourcetypes in the constraints. The eval does not return values when i try to sum fields.
For example:
Constrain: index=some sourcetype=a OR sourcetype=b OR soucetype=c
Extracted: FieldA , FieldB
Calculated: FieldA+FieldB
The calculated field does not have values. The FieldA is in sourcetype-a and FieldB is in sourcetype-c
When I execute the search, eval
does NOT work. But as a workaround if i add stats values(*) as * by _time
it works.
Example search:
Index=some sourcetype=a OR sourcetype=b or sourcetype=c | stats values(*) as * by MARKET, _time | eval result=fielda+fieldb | timechart span=7d result
The eval is failing because the field is not present and hence no value. My question is how to mimic the above search in the DataModel or is there a better way? I want to use this as Root Event so that I can accelerate the data model.
Thank you in advance.
The problem is surely that fielda
is coming from events in different than fieldb
(e.g. only sourcetypea
has events with non-null fielda
and only sourcetypeb
has events with non-null fieldb
. The only way to resolve this is to create aggregate events by using transaction
or stats values(*) AS *
. The fields (obviously) must both be present in each event for the calculation to work.
Okay, so you need to be clear what you are trying to achieve.
In a single event you are only going to have a FieldA OR a FieldB. So, at the event level, your calculation needs to be something like
| eval result=coalesce(FieldA,0)+coalesce(FieldB,0)
The two individual fields will only be summable when there are multiple different events being summed, for example, when you are doing a stats or eventstats command.
I know why the eval is failing. It is because the fields are not present in both source types. My question was if there are any better way to address the work-around. Your suggestion on coalesce seems one option of workaround but it is NOT the clean way. I am looking at a better way to address this. Thank you for your suggestion.
Not sure why you would consider that "not the clean way", but six months later, I would not be using a +
at all. This is cleaner, in my current opinion:
Index=some sourcetype=a OR sourcetype=b or sourcetype=c
| eval result=coalesce(result,FieldA,FieldB)
| timechart span=7d sum(result) as result