topic Re: Why is tstats command with eval not working on a particular field? in Splunk Search

Why is tstats command with eval not working on a particular field?

nmohammed — Sat, 15 Sep 2018 00:23:14 GMT

hi,

I am trying to combine results into two categories based of an eval statement.

The original query returns the results fine, but is slow because of large amount of results and extended time frame:

index=enc sourcetype=enc type=trace source=*123456*|  eval  Call = if(app_type="API", "sdk", "non-sdk") |  stats count by Call

I tried the following with tstats, but none of them work, meaning displayed 0 results.

| tstats count from datamodel=Enc where sourcetype=trace  Enc.type=TRACE  Enc.cid=1234567 Enc.app_type=* 
| `drop_dm_object_name("Enc")`
| eval Call=if(app_type=="API", "sdk","non-sdk") 
| stats sum(count) by Call

AND

| tstats  count from datamodel=Enc where sourcetype=enc-trace  Enc.type=TRACE  Enc.cid=1234567
| `drop_dm_object_name("Enc")` 
| eval sdk=if(app_type="API",count,0), non-sdk=if(app_type!="API",count,0) 
| stats sum(sdk) as SDK, sum(non-sdk) as NON-SDK

appreciate help and ideas from Splunkers.

Thanks

Re: Why is tstats command with eval not working on a particular field?

jkat54 — Sat, 15 Sep 2018 10:20:58 GMT

try adding prestats=true to your tstats commands.

Thats always needed if you're going to feed tstats into timechart, stats, etc.

For example:

| tstats prestats=true count from datamodel=Enc where sourcetype=trace Enc.type=TRACE Enc.cid=1234567 Enc.app_type=* 
| drop_dm_object_name("Enc")
| eval Call=if(app_type=="API", "sdk","non-sdk") 
| stats sum(count) by Call

Re: Why is tstats command with eval not working on a particular field?

nmohammed — Tue, 29 Sep 2020 21:19:27 GMT

Thanks jkat54.

adding prestats=true displays blank results with a single column non-sdk
| tstats prestats=true count from datamodel=Enc where sourcetype=trace Enc.type=TRACE Enc.cid=1234567 Enc.app_type=*
| drop_dm_object_name("Enc")
| eval Call=if(app_type=="API", "sdk","non-sdk")
| stats sum(count) by Call

results -

Call sum(count)
non-sdk

index=enc sourcetype=enc type=trace source=123456| eval Call = if(app_type="API", "sdk", "non-sdk") | stats count by Call

Call count
non-sdk 1144197
sdk 513994

Re: Why is tstats command with eval not working on a particular field?

nmohammed — Tue, 29 Sep 2020 21:19:30 GMT

I was able to get the results. Realized that we were not using the actual field app_type with GROUPBY in the tstats base search .. doing the following returned the expected results and I have validated them to be true.

| tstats count from datamodel=Enc where sourcetype=trace Enc.type=TRACE Enc.cid=1234567 GROUBPBY Enc.app_type
| drop_dm_object_name("Enc")
| eval Call=if(app_type=="API", "sdk","non-sdk")
| stats sum(count) by Call