Solved: Order of search ops with eval vs fieldformat

bmgilmore · ‎04-16-2013

If I run a search such as the following:

sourcetype=access_combined action=purchase | stats sum(price) as Price by product_name, productId | eval revenue="$"+tostring(Price) | fields - Price

the revenue field calculates correctly. If I structure a bit differently:

sourcetype=access_combined action=purchase | stats sum(price) as Price by product_name, productId | fieldformat revenue="$"+tostring(Price) | fields - Price

revenue does not calculate correctly ($Null), it appears that downstream operations do not work with fieldformat?

Let me know, thanks!

jonuwz · ‎04-16-2013

When you eval, revenue actually gets set to $ + whatever the value of "Price" is, so its safe to remove "Price" from the list of fields.

When you fieldformat, revenue is displayed as $ + the field known as "Price"

You then remove Price, so Price is null (i.e. revenue can not reference Price any more)

You can do fieldformat Price="$".Price instead

View solution in original post

jonuwz · ‎04-16-2013

When you eval, revenue actually gets set to $ + whatever the value of "Price" is, so its safe to remove "Price" from the list of fields.

When you fieldformat, revenue is displayed as $ + the field known as "Price"

You then remove Price, so Price is null (i.e. revenue can not reference Price any more)

You can do fieldformat Price="$".Price instead

Order of search ops with eval vs fieldformat

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Order of search ops with eval vs fieldformat

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR