topic Re: How can I find results only iff the previous queries returns results? in Splunk Search

How can I find results only iff the previous queries returns results?

yk010123 — Wed, 19 Apr 2023 23:03:25 GMT

I calculate the requests per second for my application using the following query:

method!=GET process="start" | timechart count by region limit=0 | timechart per_second(*)

I also calculate the number of errors my application is producing using the following separate query

process=end AND status=500 | timechart count | timechart per_second(*)

I am trying to find a query that will answer when my application "breaks", or in other words, what is the requests per second that causes my application to have more than N errors

Re: How can I find results only iff the previous queries returns results?

yeahnah — Thu, 20 Apr 2023 01:07:16 GMT

Hi @yk010123

It usually easier to help when there are some example events provided, but based on what you've shown in the SPL something like this should work

(method!=GET process="start") OR (process=end AND status=500) | eval region=coalesce(region, "none") ``` account for end event not having a region ``` ,type=if(process="start", "start", "end") | stats count BY _time type region | timechart span=1m sum(eval(type="start")) AS start sum(eval(type="end")) AS end BY region | timechart per_second(*)

One query that combines the results into one table/graph.

Hope it helps