Hi Splunkers,

I have an issue with the use of Data Model, eval command and sourcetype as filter. Let me explain better.

Customer asked us to modify the field 

action

on Data Model Email: if the sourcetype is a particular one, let's say xxx, action must be equal to another field called 

final_action

Otherwise, the normal behaivor is fine.

Now, in the Email Data Model the field action is a calculated one with the following eval expression:

if(isnull(action) OR action="","unknown",action)

So, I thought to simply modify it in a case expression, adding the check on the sourcetype; based on this, I tested the following search:

| from datamodel:"Email" 
| eval action = case(isnull(action) OR action="","unknown", sourcetype="xxx", final_action, 1=1, action) 
| stats count values(action) as action by sourcetype

 But it does not works; I mean, the field action is correctly filled for all other sourcetypes we have, but the action output field, for sourcetype xxx is empty.

My first doubt was: does the problem exists because I used different fields in case function, not equal between them? So I used this search:

| from datamodel:"Email" 
| eval action = if(isnull(action) OR action="","unknown", action) 
| eval action = if(sourcetype="xxx", final_action, action) 
| stats count values(action) as action by sourcetype

But the action output for sourcetype xxx is still empty.

I'm sure that the field is correct and populated because if I use a search without datamodel, comparing 2 different sourcetype we have for mails, the search work fine. For example, if I use:

index=* sourcetype IN (xxx, yyy) 
| eval action=if(sourcetype="xxx", final_action, action) 
| stats count values(action) as action by sourcetype

The outoput is the desiderd one: the action field for yyy is the already exiting one, while for xxx is overwritten with final_action values.