Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

why is eval function not working for calculated field but works when run as a search using two different source type

LionelRubdi
New Member
‎06-20-2017 09:22 PM

My calculated field with the following eval function is not returning values

round(if(svt_due_date=="null",sv_due_date,(svt_due_date - c_isnull_reported_submited_date ))/3600000)

but when I run the eval expression as a search - it does return a value.

.....index=abc| eval cc_resolved_sla_hours=round(if(svt_due_date=="null",sv_due_date,(svt_due_date - c_isnull_reported_submited_date ))/3600000)

I have tried using host, source type as itam* and also the source type. The svt_due_date is from another source type from the same index (the resulting value is calculation from 2 source types from the same index). I have also tried “sourcetype=itam_inc_xml OR sourcetype=itam_sla_xml” in the calculated field which did not work.

Is there something I may be missing or creating the calculated fields incorrectly?

Tags (2)
0 Karma
Reply

thirumalreddyb
Communicator
‎06-21-2017 06:29 AM

You query would work only if all the fields that you are using in the eval expression are under the same sourcetype/source/host based on the stanza that you are using in your props.

0 Karma
Reply

cmerriman
Super Champion
‎06-21-2017 04:59 AM

does svt_due_date actually have a "null" value or is it a blank/null field value? try replacing with isnull(svt_due_date) if it is actually a null value

0 Karma
Reply

LionelRubdi
New Member
‎06-21-2017 05:43 AM

The field has blank values and date in epoch. This field is from another source type from the same index. The same eval expression works when run as a search but not when run as a calculated field. I doubt I'd calculated can have multiple source types . Can you confirm please ? What other options I have to create a calculated field using multiple source types ? Thanks in advance

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...