Hi,
I have this query
index=wholesale_app buildTarget=comcast analyticType=SessionStart |rename Properties.platformData.HC as hc|rename Properties.platformData.HM as hm|eval hardwaretype=hc+hm|table hardwaretype hc hm
Why won't the eval....well eval?
I've also tried this
index=wholesale_app buildTarget=comcast analyticType=SessionStart |rename Properties.platformData.HC as hc|rename Properties.platformData.HM as hm|eval hardwaretype=hc+" "+hm|table hardwaretype hc hm
and this
index=wholesale_app buildTarget=comcast analyticType=SessionStart |rename Properties.platformData.HC as hc|rename Properties.platformData.HM as hm|eval hardwaretype='hc'+" "+'hm'|table hardwaretype hc hm
the resulting table shows values for hc and hm but no values for hardwaretype
@dbcase, We would like to know what is not working with eval, can you put the tabular output of your search preferably the following?
index=wholesale_app buildTarget=comcast analyticType=SessionStart |rename Properties.platformData.HC as hc|rename Properties.platformData.HM as hm|eval hardwaretype=hc+" "+hm|table hardwaretype hc hm
If both fields are strings, you can use strcat
instead, which is a bit simpler to work with. Replace your eval command with:
| strcat hc " " hm hardwaretype
This will create a new field "hardwaretype" with your two strings and a space in between.
Without knowing what your fields have in them, I worry that eval is attempting to sum your fields, rather than concatenate them. If you want to use eval specifically, you can try using periods instead of plus signs - this is the preferred format for joining text:
| eval hardwaretype=hm." ".hc
Or even:
| eval hardwaretype=tostring(hm)." ".tostring(hc)