Hello,
I'm trying to do simple calculations with the eval command but the fields I need to calculate are spread across a number sourcetypes. The query would ultimately have a variable for user ID and would calculate data specific to the user located across multiple sourcetypes
Would I want to use a combination of transaction/subsearches? I've tried both and a couple other approaches but I'm not sure if my issue is conceptual or with my syntax. Any suggestions?
Thanks for any help,
Use the coalesce() function. This will allow you to group events from multiple sourcetypes.
I don't think it's a conceptual issue, that should be fine. As long as the first part of your search when you narrow it down (sourcetype=* user=x ) that the user exists in both source events. Otherwise, the field you try to calculate won't return in the result set and when eval is applied you'll get nothing.
Well, I can give an example but in all honesty I'm not sure if my issue is conceptual?
var1 would be a field in source1
var2 would be a field in source2
(sourcetype="source1") OR (sourcetype="source2")| user_id="ID" | eval percentage=(var1/var2) | top percentage
OR
sourcetype="*" user_id="ID" | eval percentage=(var1/var2) | top percentage
Not sure if this clarifies...
It would probably help to see the examples of what you have tried.