Splunk Search

Why is the eval command not working for Calculated Fields in Data Model?

nravichandran
Communicator

I am designing a Data Model wherein I am specifying two or more sourcetypes in the constraints. The eval does not return values when i try to sum fields.

For example:
Constrain: index=some sourcetype=a OR sourcetype=b OR soucetype=c
Extracted: FieldA , FieldB
Calculated: FieldA+FieldB

The calculated field does not have values. The FieldA is in sourcetype-a and FieldB is in sourcetype-c
When I execute the search, eval does NOT work. But as a workaround if i add stats values(*) as * by _time it works.

Example search:

Index=some sourcetype=a OR sourcetype=b or sourcetype=c | stats values(*) as * by MARKET, _time | eval result=fielda+fieldb | timechart span=7d result

The eval is failing because the field is not present and hence no value. My question is how to mimic the above search in the DataModel or is there a better way? I want to use this as Root Event so that I can accelerate the data model.

Thank you in advance.

0 Karma

woodcock
Esteemed Legend

The problem is surely that fielda is coming from events in different than fieldb (e.g. only sourcetypea has events with non-null fielda and only sourcetypeb has events with non-null fieldb. The only way to resolve this is to create aggregate events by using transaction or stats values(*) AS *. The fields (obviously) must both be present in each event for the calculation to work.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Okay, so you need to be clear what you are trying to achieve.

In a single event you are only going to have a FieldA OR a FieldB. So, at the event level, your calculation needs to be something like

| eval result=coalesce(FieldA,0)+coalesce(FieldB,0)

The two individual fields will only be summable when there are multiple different events being summed, for example, when you are doing a stats or eventstats command.

0 Karma

nravichandran
Communicator

I know why the eval is failing. It is because the fields are not present in both source types. My question was if there are any better way to address the work-around. Your suggestion on coalesce seems one option of workaround but it is NOT the clean way. I am looking at a better way to address this. Thank you for your suggestion.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Not sure why you would consider that "not the clean way", but six months later, I would not be using a + at all. This is cleaner, in my current opinion:

Index=some sourcetype=a OR sourcetype=b or sourcetype=c 
| eval result=coalesce(result,FieldA,FieldB)
| timechart span=7d sum(result) as result
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...