Solved: Check event count before running stats?

exocore123 · ‎04-13-2021

I have a query where it runs a certain summary query every 15 minutes in a bucket. However, there are fairly frequent maintenance that happens for our splunk dev team which causes a lot of missing time frames in the query and causes our alerts to misfire.

Currently:

index=summary-ecp-ord-oms source=ecp-ord-owls-transaction-perf-15min earliest=-10080m latest=-10070m  | stats sum(count) as previous by request

I was wondering if there is something like a way to check if the results from the initial query is more than 3, then run the stats on the data. Otherwise, return nothing.

index=summary-ecp-ord-oms source=ecp-ord-owls-transaction-perf-15min earliest=-10080m latest=-10070m | where eventcount > 3 | stats sum(count) as previous by request

ITWhisperer · ‎04-13-2021

index=summary-ecp-ord-oms source=ecp-ord-owls-transaction-perf-15min earliest=-10080m latest=-10070m | eventstats count as eventcount | where eventcount > 3 | stats sum(count) as previous by request

View solution in original post

ITWhisperer · ‎04-13-2021

index=summary-ecp-ord-oms source=ecp-ord-owls-transaction-perf-15min earliest=-10080m latest=-10070m | eventstats count as eventcount | where eventcount > 3 | stats sum(count) as previous by request

exocore123 · ‎04-13-2021

Ooof, I was so close to the answer. Thank you. Didnt realize I was writing eventstat wrong

Check event count before running stats?

eval

join

stats

subsearch

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update