I am calculating distance between the 2 latitude and longitude and if the distance > 0, then it will return the event or else it does not do anything. An event contains a Json message body. Following is the search I am using, but it is giving me an error.
sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | eval distance=sqrt(pow('13'-[search sourcetype=SplunkKafka_messaging | spath input=msg_body | eval lat2=pickup_latitude | return $lat2],2)+pow('5'-[search sourcetype=SplunkKafka_messaging | spath input=msg_body | eval long2=pickup_longitude | return $long2],2)) | eval result = if (distance>0, [search sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body], [search sourcetype=SplunkKafka_messaging | spath input=msg_body]) | return $result
Error:
Error in 'eval' command: Typechecking failed. The '==' operator received different types.
I have to use this search in real-time.
Update: In the search , '13' & '5' are the column indexes and not the numeric value.
I'll give this a shot
[search sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | eval distance=sqrt(pow('13'-[search sourcetype=SplunkKafka_messaging | spath input=msg_body | eval lat2=pickup_latitude | return $lat2],2)+pow('5'-[search sourcetype=SplunkKafka_messaging | spath input=msg_body | eval long2=pickup_longitude | return $long2],2)) | eval sourcetype=if (distance>0, "SplunkRabbitMQ_messaging", "SplunkKafka_messaging") | table sourcetype]
| spath input=msg_body
The subsearch (all line except last line) will return which sourcetype to use.
I'll give this a shot
[search sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | eval distance=sqrt(pow('13'-[search sourcetype=SplunkKafka_messaging | spath input=msg_body | eval lat2=pickup_latitude | return $lat2],2)+pow('5'-[search sourcetype=SplunkKafka_messaging | spath input=msg_body | eval long2=pickup_longitude | return $long2],2)) | eval sourcetype=if (distance>0, "SplunkRabbitMQ_messaging", "SplunkKafka_messaging") | table sourcetype]
| spath input=msg_body
The subsearch (all line except last line) will return which sourcetype to use.
Thanks it worked like a charm.
Run your search before the eval result and table distance. I suspect you are getting a value that is not a number.
You might also consider downloading the haversign app to do the calculation for you:
Thanks I will have a look on it.
You're putting integers in single quotes which is declaring them as strings, then you're trying math on strings. Do this instead:
sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | eval distance=sqrt(pow(13-[search sourcetype=SplunkKafka_messaging | spath input=msg_body | eval lat2=pickup_latitude | return $lat2],2)+pow(5-[search sourcetype=SplunkKafka_messaging | spath input=msg_body | eval long2=pickup_longitude | return $long2],2)) | eval result = if (distance>0, [search sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body], [search sourcetype=SplunkKafka_messaging | spath input=msg_body]) | return $result
Sorry I have updated the question. '13' & '5' were the column indexes of sourcetype=SplunkRabbitMQ_messaging, i was referring.
Though I ran your query and it resulted in the same error.