https://community.splunk.com/t5/Splunk-Search/Can-we-use-the-eval-command-to-calculate-fields-across-different/m-p/54760#M13360 <P>It would probably help to see the examples of what you have tried.</P> Thu, 17 May 2012 17:17:56 GMT sdaniels 2012-05-17T17:17:56Z https://community.splunk.com/t5/Splunk-Search/Can-we-use-the-eval-command-to-calculate-fields-across-different/m-p/54759#M13359 <P>Hello,</P> <P>I'm trying to do simple calculations with the eval command but the fields I need to calculate are spread across a number sourcetypes. The query would ultimately have a variable for user ID and would calculate data specific to the user located across multiple sourcetypes</P> <P>Would I want to use a combination of transaction/subsearches? I've tried both and a couple other approaches but I'm not sure if my issue is conceptual or with my syntax. Any suggestions?</P> <P>Thanks for any help,</P> Thu, 17 May 2012 16:43:00 GMT https://community.splunk.com/t5/Splunk-Search/Can-we-use-the-eval-command-to-calculate-fields-across-different/m-p/54759#M13359 ewm87 2012-05-17T16:43:00Z https://community.splunk.com/t5/Splunk-Search/Can-we-use-the-eval-command-to-calculate-fields-across-different/m-p/54760#M13360 <P>It would probably help to see the examples of what you have tried.</P> Thu, 17 May 2012 17:17:56 GMT https://community.splunk.com/t5/Splunk-Search/Can-we-use-the-eval-command-to-calculate-fields-across-different/m-p/54760#M13360 sdaniels 2012-05-17T17:17:56Z https://community.splunk.com/t5/Splunk-Search/Can-we-use-the-eval-command-to-calculate-fields-across-different/m-p/54761#M13361 <P>Well, I can give an example but in all honesty I'm not sure if my issue is conceptual? </P> <P>var1 would be a field in source1<BR /> var2 would be a field in source2</P> <P>(sourcetype="source1") OR (sourcetype="source2")| user_id="ID" | eval percentage=(var1/var2) | top percentage</P> <P>OR</P> <P>sourcetype="*" user_id="ID" | eval percentage=(var1/var2) | top percentage</P> <P>Not sure if this clarifies...</P> Thu, 17 May 2012 17:47:30 GMT https://community.splunk.com/t5/Splunk-Search/Can-we-use-the-eval-command-to-calculate-fields-across-different/m-p/54761#M13361 ewm87 2012-05-17T17:47:30Z https://community.splunk.com/t5/Splunk-Search/Can-we-use-the-eval-command-to-calculate-fields-across-different/m-p/54762#M13362 <P>I don't think it's a conceptual issue, that should be fine. As long as the first part of your search when you narrow it down (sourcetype=* user=x ) that the user exists in both source events. Otherwise, the field you try to calculate won't return in the result set and when eval is applied you'll get nothing. </P> Thu, 17 May 2012 18:18:21 GMT https://community.splunk.com/t5/Splunk-Search/Can-we-use-the-eval-command-to-calculate-fields-across-different/m-p/54762#M13362 sdaniels 2012-05-17T18:18:21Z https://community.splunk.com/t5/Splunk-Search/Can-we-use-the-eval-command-to-calculate-fields-across-different/m-p/54763#M13363 <P>Use the coalesce() function. This will allow you to group events from multiple sourcetypes.</P> Thu, 17 May 2012 18:33:59 GMT https://community.splunk.com/t5/Splunk-Search/Can-we-use-the-eval-command-to-calculate-fields-across-different/m-p/54763#M13363 mship 2012-05-17T18:33:59Z