if I have a string field called batchname that can have any value or not be present e.g.
2012-11-14 10:55:06.000 message=a ; customer=customer1 batchname=batch1
2012-11-14 10:55:07.000 message=b ; customer=customer1
I want to do some stats based the following pseudo code
if batchname is null then type is online
if batchname is not null then type is batch
the nearest I got was fillnull value=online batchname
perhaps I can use eval?
eval type=? | stats count by customer, message, type
Thanks
David
You are on the right path. I would use eval and the isnull() function.
index=blah | eval batchname=if(isnull(batchname), "online", "batch")
| stats count by customer, message, batchname
I think you are looking for this:
<your search> | eval type = if(isnull(batchname), "online", "batch") | ...
Shane! That is what I get for not refreshing the page 🙂