All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Error in tstats command despite being first command in search

ebs
Communicator
‎12-15-2020 03:58 PM

I'm trying to validate this search, but I'm getting this error: Error in 'tstats' command: This command must be the first command of a search.

I don't know why I'm getting this error as it is the first in the search:

| tstats count as api_calls from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h 
| `drop_dm_object_name("All_Changes")` 
| eval HourOfDay=strftime(_time, "%H") 
| eval HourOfDay=floor(HourOfDay/4)*4 
| eval DayOfWeek=strftime(_time, "%w") 
| eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) 
| table _time api_calls, user, HourOfDay, isWeekend 
| eventstats dc(api_calls) as api_calls by user, HourOfDay, isWeekend 
| where api_calls >= 1 
| fit DensityFunction api_calls by "user,HourOfDay,isWeekend" into cloud_excessive_api_calls_v1 dist=norm show_density=true 
| tstats count as api_calls from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h 
| `drop_dm_object_name("All_Changes")` 
| eval HourOfDay=strftime(_time, "%H") 
| eval HourOfDay=floor(HourOfDay/4)*4 
| eval DayOfWeek=strftime(_time, "%w") 
| eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) 
| table _time api_calls, user, HourOfDay, isWeekend 
| eventstats dc(api_calls) as api_calls by user, HourOfDay, isWeekend 
| where api_calls >= 1 
| fit DensityFunction api_calls by "user,HourOfDay,isWeekend" into cloud_excessive_api_calls_v1 dist=norm show_density=true

 

Is this a bug or what? The search is produced by ESCU, I'm just making sure it works with the data we have

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎12-15-2020 05:58 PM

You have the same search what appears to be twice - i.e. the search is a 10 line search repeated twice, with a second tstats on the 11th line after the fit statement. Is that a typo?

 

0 Karma
Reply

renjith_nair
Legend
‎12-15-2020 05:50 PM

Just suggestion : Please use code sample (<>) to add your search or XML snippets for better readability. Edited and formatted this post 🙂

Not sure if it's a copy paste error, but the search is repeating and hence you have a second tstats in the middle of the search.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...