I am designing a Data Model wherein I am specifying two or more sourcetypes in the constraints. The eval does not return values when i try to sum fields.
Constrain: index=some sourcetype=a OR sourcetype=b OR soucetype=c
Extracted: FieldA , FieldB
The calculated field does not have values. The FieldA is in sourcetype-a and FieldB is in sourcetype-c
When I execute the search,
eval does NOT work. But as a workaround if i add
stats values(*) as * by _time it works.
Index=some sourcetype=a OR sourcetype=b or sourcetype=c | stats values(*) as * by MARKET, _time | eval result=fielda+fieldb | timechart span=7d result
The eval is failing because the field is not present and hence no value. My question is how to mimic the above search in the DataModel or is there a better way? I want to use this as Root Event so that I can accelerate the data model.
Thank you in advance.
The problem is surely that
fielda is coming from events in different than
fieldb (e.g. only
sourcetypea has events with non-null
fielda and only
sourcetypeb has events with non-null
fieldb. The only way to resolve this is to create aggregate events by using
stats values(*) AS *. The fields (obviously) must both be present in each event for the calculation to work.
Okay, so you need to be clear what you are trying to achieve.
In a single event you are only going to have a FieldA OR a FieldB. So, at the event level, your calculation needs to be something like
| eval result=coalesce(FieldA,0)+coalesce(FieldB,0)
The two individual fields will only be summable when there are multiple different events being summed, for example, when you are doing a stats or eventstats command.
I know why the eval is failing. It is because the fields are not present in both source types. My question was if there are any better way to address the work-around. Your suggestion on coalesce seems one option of workaround but it is NOT the clean way. I am looking at a better way to address this. Thank you for your suggestion.
Not sure why you would consider that "not the clean way", but six months later, I would not be using a
+ at all. This is cleaner, in my current opinion:
Index=some sourcetype=a OR sourcetype=b or sourcetype=c | eval result=coalesce(result,FieldA,FieldB) | timechart span=7d sum(result) as result