All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Error in tstats command despite being first command in search

ebs
Communicator
‎12-15-2020 03:58 PM

I'm trying to validate this search, but I'm getting this error: Error in 'tstats' command: This command must be the first command of a search.

I don't know why I'm getting this error as it is the first in the search:

| tstats count as api_calls from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h 
| `drop_dm_object_name("All_Changes")` 
| eval HourOfDay=strftime(_time, "%H") 
| eval HourOfDay=floor(HourOfDay/4)*4 
| eval DayOfWeek=strftime(_time, "%w") 
| eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) 
| table _time api_calls, user, HourOfDay, isWeekend 
| eventstats dc(api_calls) as api_calls by user, HourOfDay, isWeekend 
| where api_calls >= 1 
| fit DensityFunction api_calls by "user,HourOfDay,isWeekend" into cloud_excessive_api_calls_v1 dist=norm show_density=true 
| tstats count as api_calls from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h 
| `drop_dm_object_name("All_Changes")` 
| eval HourOfDay=strftime(_time, "%H") 
| eval HourOfDay=floor(HourOfDay/4)*4 
| eval DayOfWeek=strftime(_time, "%w") 
| eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) 
| table _time api_calls, user, HourOfDay, isWeekend 
| eventstats dc(api_calls) as api_calls by user, HourOfDay, isWeekend 
| where api_calls >= 1 
| fit DensityFunction api_calls by "user,HourOfDay,isWeekend" into cloud_excessive_api_calls_v1 dist=norm show_density=true

 

Is this a bug or what? The search is produced by ESCU, I'm just making sure it works with the data we have

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎12-15-2020 05:58 PM

You have the same search what appears to be twice - i.e. the search is a 10 line search repeated twice, with a second tstats on the 11th line after the fit statement. Is that a typo?

 

0 Karma
Reply

renjith_nair
Legend
‎12-15-2020 05:50 PM

Just suggestion : Please use code sample (<>) to add your search or XML snippets for better readability. Edited and formatted this post 🙂

Not sure if it's a copy paste error, but the search is repeating and hence you have a second tstats in the middle of the search.

Happy Splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...