Solved: How to use tstats command with datamodel and like ...

N92 · ‎06-20-2019

How to use tstats command with like function.
Ex:

| tstats count(eval(Authentication.action, "failure%")) as failure,  count(eval(Authentication.action, "success%"))  as success by src

Why does it give an error?

harsmarvania57 · ‎06-20-2019

Hi,

tstats does not support complex aggregation function. ref. doc https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Tstats#Complex_aggregate_function...

So you can use below query

| tstats count from datamodel=Authentication by Authentication.src,Authentication.action
| stats sum(eval(if(like('Authentication.action', "failure%"),count,0))) as failure sum(eval(if(like('Authentication.action', "success%"),count,0))) as success by Authentication.src

View solution in original post

harsmarvania57 · ‎06-20-2019

Hi,

tstats does not support complex aggregation function. ref. doc https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/Tstats#Complex_aggregate_function...

So you can use below query

| tstats count from datamodel=Authentication by Authentication.src,Authentication.action
| stats sum(eval(if(like('Authentication.action', "failure%"),count,0))) as failure sum(eval(if(like('Authentication.action', "success%"),count,0))) as success by Authentication.src

How to use tstats command with datamodel and like function

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming

Are you a member of the Splunk Community?

How to use tstats command with datamodel and like function

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming