All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Error in tstats command despite being first command in search

ebs
Communicator
‎12-15-2020 03:58 PM

I'm trying to validate this search, but I'm getting this error: Error in 'tstats' command: This command must be the first command of a search.

I don't know why I'm getting this error as it is the first in the search:

| tstats count as api_calls from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h 
| `drop_dm_object_name("All_Changes")` 
| eval HourOfDay=strftime(_time, "%H") 
| eval HourOfDay=floor(HourOfDay/4)*4 
| eval DayOfWeek=strftime(_time, "%w") 
| eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) 
| table _time api_calls, user, HourOfDay, isWeekend 
| eventstats dc(api_calls) as api_calls by user, HourOfDay, isWeekend 
| where api_calls >= 1 
| fit DensityFunction api_calls by "user,HourOfDay,isWeekend" into cloud_excessive_api_calls_v1 dist=norm show_density=true 
| tstats count as api_calls from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h 
| `drop_dm_object_name("All_Changes")` 
| eval HourOfDay=strftime(_time, "%H") 
| eval HourOfDay=floor(HourOfDay/4)*4 
| eval DayOfWeek=strftime(_time, "%w") 
| eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) 
| table _time api_calls, user, HourOfDay, isWeekend 
| eventstats dc(api_calls) as api_calls by user, HourOfDay, isWeekend 
| where api_calls >= 1 
| fit DensityFunction api_calls by "user,HourOfDay,isWeekend" into cloud_excessive_api_calls_v1 dist=norm show_density=true

 

Is this a bug or what? The search is produced by ESCU, I'm just making sure it works with the data we have

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎12-15-2020 05:58 PM

You have the same search what appears to be twice - i.e. the search is a 10 line search repeated twice, with a second tstats on the 11th line after the fit statement. Is that a typo?

 

0 Karma
Reply

renjith_nair
Legend
‎12-15-2020 05:50 PM

Just suggestion : Please use code sample (<>) to add your search or XML snippets for better readability. Edited and formatted this post 🙂

Not sure if it's a copy paste error, but the search is repeating and hence you have a second tstats in the middle of the search.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...