Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can we use the eval command to calculate fields across different sourcetypes? What is the best approach?

ewm87
New Member
‎05-17-2012 09:43 AM

Hello,

I'm trying to do simple calculations with the eval command but the fields I need to calculate are spread across a number sourcetypes. The query would ultimately have a variable for user ID and would calculate data specific to the user located across multiple sourcetypes

Would I want to use a combination of transaction/subsearches? I've tried both and a couple other approaches but I'm not sure if my issue is conceptual or with my syntax. Any suggestions?

Thanks for any help,

0 Karma
Reply

mship
Path Finder
‎05-17-2012 11:33 AM

Use the coalesce() function. This will allow you to group events from multiple sourcetypes.

Reply

sdaniels
Splunk Employee
Splunk Employee
‎05-17-2012 11:18 AM

I don't think it's a conceptual issue, that should be fine. As long as the first part of your search when you narrow it down (sourcetype=* user=x ) that the user exists in both source events. Otherwise, the field you try to calculate won't return in the result set and when eval is applied you'll get nothing.

0 Karma
Reply

ewm87
New Member
‎05-17-2012 10:47 AM

Well, I can give an example but in all honesty I'm not sure if my issue is conceptual?

var1 would be a field in source1
var2 would be a field in source2

(sourcetype="source1") OR (sourcetype="source2")| user_id="ID" | eval percentage=(var1/var2) | top percentage

OR

sourcetype="*" user_id="ID" | eval percentage=(var1/var2) | top percentage

Not sure if this clarifies...

0 Karma
Reply

sdaniels
Splunk Employee
Splunk Employee
‎05-17-2012 10:17 AM

It would probably help to see the examples of what you have tried.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...