Hi Everyone, I am not able to use eval command with stats. I am using the following search in a form, I want to find the sum of a field depending on the action selected from drop down. I am using the eval command to find the field but not able the pass the same to stats command.
Any help is much appreciated..
sourcetype=brm_batch_data ACTION=$ACTION_SELECTED$ | eval action_val = case (ACTION == "INVOICING", "BILL_DUE", ACTION == "BILLING", "AMOUNT", ACTION="PAYMENT", "AMOUNT") | stats sum(action_val)
Well, since action_val is not a number, it is not meaningful to try sum it, obviously. Perhaps you have fields/variables named BILL_DUE and AMOUNT, in which case all you need to do is remove the quotes from around the names in your case() expression to fix it.
sourcetype=brm_batch_data ACTION=$ACTION_SELECTED$ | eval action_val = case (ACTION == "INVOICING", BILL_DUE, ACTION == "BILLING", AMOUNT, ACTION="PAYMENT", AMOUNT) | stats sum(action_val)
Well, since action_val is not a number, it is not meaningful to try sum it, obviously. Perhaps you have fields/variables named BILL_DUE and AMOUNT, in which case all you need to do is remove the quotes from around the names in your case() expression to fix it.
sourcetype=brm_batch_data ACTION=$ACTION_SELECTED$ | eval action_val = case (ACTION == "INVOICING", BILL_DUE, ACTION == "BILLING", AMOUNT, ACTION="PAYMENT", AMOUNT) | stats sum(action_val)
thanks gkanapathy. it worked....