Solved: How to create unique field names from two data sou...

pkeller · ‎02-10-2016

I have two data sources, each with a field named foo.
Each data source has a different sourcetype, so I'd like to do something like this:

(sourcetype=STa) OR (sourcetype=STb) | ...

if sourcetype is STa, I'd like to rename foo to fooA
if sourcetype is STb, I'd like to rename foo to fooB

Using eval fooA = coalesce(foo,NULL) works, but I'm not sure how to make it conditional so that it only acts on events with the STa sourcetype.

Thank you

javiergn · ‎02-10-2016

You can use the following technique:

eval fooA = if(sourcetype == "STa", foo, "")

And the same for fooB

somesoni2 · ‎02-10-2016

IMO, the coalesce approach is what's needed here. It'll run for each event (for both sourcetypes) but so as any rename command.

pkeller · ‎02-10-2016

I'd considered that, but wasn't quite sure how to place the coalesce into an "if" block

javiergn · ‎02-10-2016

You can use the following technique:

eval fooA = if(sourcetype == "STa", foo, "")

And the same for fooB

pkeller · ‎02-10-2016

Thank you very much.

How to create unique field names from two data sources that share a common field name?