Solved: Trying to return an event based on an eval if stat...

maximus_reborn · ‎05-24-2016

I am calculating distance between the 2 latitude and longitude and if the distance > 0, then it will return the event or else it does not do anything. An event contains a Json message body. Following is the search I am using, but it is giving me an error.

sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | eval distance=sqrt(pow('13'-[search sourcetype=SplunkKafka_messaging | spath input=msg_body | eval lat2=pickup_latitude | return $lat2],2)+pow('5'-[search sourcetype=SplunkKafka_messaging | spath input=msg_body | eval long2=pickup_longitude | return $long2],2)) | eval result = if (distance>0, [search sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body], [search sourcetype=SplunkKafka_messaging | spath input=msg_body]) | return $result

Error:

Error in 'eval' command: Typechecking failed. The '==' operator received different types.

I have to use this search in real-time.
Update: In the search , '13' & '5' are the column indexes and not the numeric value.

somesoni2 · ‎05-24-2016

I'll give this a shot

[search sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | eval distance=sqrt(pow('13'-[search sourcetype=SplunkKafka_messaging | spath input=msg_body | eval lat2=pickup_latitude | return $lat2],2)+pow('5'-[search sourcetype=SplunkKafka_messaging | spath input=msg_body | eval long2=pickup_longitude | return $long2],2)) | eval sourcetype=if (distance>0, "SplunkRabbitMQ_messaging", "SplunkKafka_messaging") | table sourcetype] 
| spath input=msg_body

The subsearch (all line except last line) will return which sourcetype to use.

View solution in original post

somesoni2 · ‎05-24-2016

I'll give this a shot

[search sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | eval distance=sqrt(pow('13'-[search sourcetype=SplunkKafka_messaging | spath input=msg_body | eval lat2=pickup_latitude | return $lat2],2)+pow('5'-[search sourcetype=SplunkKafka_messaging | spath input=msg_body | eval long2=pickup_longitude | return $long2],2)) | eval sourcetype=if (distance>0, "SplunkRabbitMQ_messaging", "SplunkKafka_messaging") | table sourcetype] 
| spath input=msg_body

The subsearch (all line except last line) will return which sourcetype to use.

maximus_reborn · ‎05-24-2016

Thanks it worked like a charm.

sjohnson_splunk · ‎05-24-2016

Run your search before the eval result and table distance. I suspect you are getting a value that is not a number.

You might also consider downloading the haversign app to do the calculation for you:

https://splunkbase.splunk.com/app/936/

maximus_reborn · ‎05-24-2016

Thanks I will have a look on it.

jkat54 · ‎05-24-2016

You're putting integers in single quotes which is declaring them as strings, then you're trying math on strings. Do this instead:

sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body | eval distance=sqrt(pow(13-[search sourcetype=SplunkKafka_messaging | spath input=msg_body | eval lat2=pickup_latitude | return $lat2],2)+pow(5-[search sourcetype=SplunkKafka_messaging | spath input=msg_body | eval long2=pickup_longitude | return $long2],2)) | eval result = if (distance>0, [search sourcetype=SplunkRabbitMQ_messaging | spath input=msg_body], [search sourcetype=SplunkKafka_messaging | spath input=msg_body]) | return $result

maximus_reborn · ‎05-24-2016

Sorry I have updated the question. '13' & '5' were the column indexes of sourcetype=SplunkRabbitMQ_messaging, i was referring.
Though I ran your query and it resulted in the same error.

Trying to return an event based on an eval if statement, why am I getting "Typechecking failed. The '==' operator received different types."?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms