My calculated field with the following eval function is not returning values
round(if(svtduedate=="null",svduedate,(svtduedate - cisnullreportedsubmiteddate ))/3600000)
but when I run the eval expression as a search - it does return a value.
.....index=abc| eval ccresolvedslahours=round(if(svtduedate=="null",svduedate,(svtduedate - cisnullreportedsubmited_date ))/3600000)
I have tried using host, source type as itam* and also the source type. The svtduedate is from another source type from the same index (the resulting value is calculation from 2 source types from the same index). I have also tried “sourcetype=itamincxml OR sourcetype=itamslaxml” in the calculated field which did not work.
Is there something I may be missing or creating the calculated fields incorrectly?
You query would work only if all the fields that you are using in the eval expression are under the same sourcetype/source/host based on the stanza that you are using in your props.
The field has blank values and date in epoch. This field is from another source type from the same index. The same eval expression works when run as a search but not when run as a calculated field. I doubt I'd calculated can have multiple source types . Can you confirm please ? What other options I have to create a calculated field using multiple source types ? Thanks in advance