First time poster.
I've combed the Splunk>Answers for something related but I can't find out why coalesce works in one search and not another.
I want to use stats to report Latitude Longitude from multiple different logs and there are some logs that have different log structures. I have used field extractions for all the various Lat&Lon combinations. In one saved search, I can use a calculated field which basically is
eval Lat=coalesce(Lat1,Lat2,Lat3,Lat4) and corresponding one for Lon.
In SavedSearch1, I use a simple query of
Event1=* OR Event2=* | stats Avg(Lat) Avg(Long) and it works the way it's supposed to. Event1 has Lat1 messages and Event2 has Lat2 messages and Lat ends up being a new field named "Lat" in every found event with either Lat1 or Lat2.
In SavedSearch2, I use the same query structure. The only difference in setup is that there is an intermediate calc field step:
Lat4=exact(LatA/2) which shows up in the Verbose field.
Lat=coalesce(Lat1,Lat2,Lat3,Lat4) does not work at all.
I hoped that writing this out would give me an idea and it has: combine the 1st calculated field into the coalesce function.
Turns out combining the calculated fields into one step works. I guess I found a race condition that wasn't easy to find in the documentation.
Can you share the query that is not working and indicate what is the field name for lat and long for each data source?
It's all good. I figured it out. It is a search-time-operation-sequence issue. Basically, calculated fields cannot be based off of other calculated fields at search time.
Calculated fields cannot use other calculated fields. You'd need to include the /2 in the coalesce.
Thanks @Martin_Mueller. The reason I didn't find that is because it doesn't exist for 6.4.3 - which I'm running. I tried it out at the bottom of my post and it did work. Thanks for finding the documentation!
Yeah, that's a new page... feel free to submit feedback at the bottom of the docs page to ask for it to be backported.
From what I can see, its content applies 1:1 to previous versions.