Hi,
I am using below simple search where I am using coalesce to test.
index=fios 110788439127166000
| eval check=coalesce(SVC_ID,DELPHI_REQUEST.REQUEST.COMMAND)
| table
DELPHI_REQUEST.REQUEST.COMMAND ,host,SVC_ID,check
|rename DELPHI_REQUEST.REQUEST.COMMAND as "COMMAND"
I am getting below output where coalesce is not printing the value of field DELPHI_REQUEST.REQUEST.COMMAND instead it is printing null value.
COMMAND host SVC_ID check
------------------------------------------------------------------------------------------
GET_TOPOLOGY dlfdam1
GET_TOPOLOGY dlfdam1
However, if I use below query coalesce is working fine.
index=fios 110788439127166000
| eval check=coalesce(SVC_ID,host)
| table
DELPHI_REQUEST.REQUEST.COMMAND ,host,SVC_ID,check
|rename DELPHI_REQUEST.REQUEST.COMMAND as "COMMAND"
COMMAND host SVC_ID check
----------------------------------------------------------------------------------------
GET_TOPOLOGY dlfdam1 dlfdam1
GET_TOPOLOGY dlfdam1 dlfdam1
Can someone let me understand why it is not working with extracted fields and working with host field
↧