Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Display Total transactions with overall count and without taking where clause events in consideration.

Gauri
Engager
‎07-26-2024 09:46 AM

I want to display total transactions without where condition in result with other fields which has specific where condition,

for.eg 

| eval
totalResponseTime=round(requestTimeinSec*1000),
| convert num("requestTimeinSec")

| rangemap field="totalResponseTime" "totalResponseTime"=0-3000
| rename range as RangetotalResponseTime
| eval totalResponseTimeabv3sec=round(requestTimeinSec*1000)

| rangemap field="totalResponseTimeabv3sec" "totalResponseTimeabv3sec"=3001-60000
| rename range as RangetotalResponseTimeabv3sec

| eval Product=case(
(like(proxyUri,"URI1") AND like(methodName,"POST"))OR
(like(proxyUri,"URI2") AND like(methodName,"GET"))OR
(like(proxyUri,"URI3") AND like(methodName,"GET")),"ABC")
| bin span=5m _time
| stats count(totalResponseTime) as TotalTrans
count(eval(RangetotalResponseTime="totalResponseTime")) as TS<3S
count(eval(RangetotalResponseTimeabv3sec="totalResponseTimeabv3sec")) as TS>3SS
by Product URI methodName _time

| eval TS<XS=case( Product="ABC",'TS<3S')

| eval TS>3S = 'TotalTrans'-'TS<XS'

| eval SLI=case(Product="ABC",round('TS<3S'/TotalTrans*100,4))

| rename methodName AS Method
| where (Product="ABC") and (SLI<99)

| stats sum(TS>3S) As AvgImpact
count(URI) as DataOutage
by Product URI Method

| fields Product URI Method TotalTrans SLI AvgImpact DataOutage

| sort Product URI Method
Labels (1)
Labels
0 Karma
Reply

KendallW
Contributor
‎07-29-2024 10:00 PM

Hi @Gauri you can use "|eventstats" instead of "|stats" to keep the data in the pipeline for the later "|stats" command:

 

 

| eval totalResponseTime=round(requestTimeinSec*1000) 
| convert num("requestTimeinSec") 
| rangemap field="totalResponseTime" "totalResponseTime"=0-3000 
| rename range as RangetotalResponseTime 
| eval totalResponseTimeabv3sec=round(requestTimeinSec*1000) 
| rangemap field="totalResponseTimeabv3sec" "totalResponseTimeabv3sec"=3001-60000 
| rename range as RangetotalResponseTimeabv3sec 
| eval Product=case(
    (like(proxyUri,"URI1") AND like(methodName,"POST")) OR
    (like(proxyUri,"URI2") AND like(methodName,"GET")) OR
    (like(proxyUri,"URI3") AND like(methodName,"GET")), "ABC") 
| bin span=5m _time 
| stats count(totalResponseTime) as TotalTrans by Product URI methodName _time 
| eventstats sum(eval(RangetotalResponseTime="totalResponseTime")) as TS<3S by Product URI methodName 
| eventstats sum(eval(RangetotalResponseTimeabv3sec="totalResponseTimeabv3sec")) as TS>3S by Product URI methodName 
| eval SLI=case(Product="ABC", round('TS<3S'/TotalTrans*100,4)) 
| rename methodName AS Method 
| where (Product="ABC") and (SLI<99) 
| stats sum(TS>3S) as AvgImpact count(URI) as DataOutage by Product URI Method 
| fields Product URI Method TotalTrans SLI AvgImpact DataOutage 
| sort Product URI Method

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-26-2024 10:01 AM

And what is the question?

0 Karma
Reply

Gauri
Engager
‎07-26-2024 10:09 AM

No value is getting displayed in TotalTrans field when I am running the given query.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-26-2024 10:17 AM

You can either start from the beginning adding subsequent commands to see when your results stop being what you wanted them to be or from the end - removing commands one by one untill your intermediate results start making sense.

0 Karma
Reply

Gauri
Engager
‎07-29-2024 03:32 AM

I am using two stats,

1. 1st stats has some fields filtered by _time 

      | stats count(totalResponseTime) as TotalTrans by Product URI methodName _time

2. 2nd stats has some fields filtered without time

    | stats sum(TS>3S) As AvgImpact
      count(URI) as DataOutage by Product URI Method 

I want the both stats fields to be displayed in the result.

for.eg , | fields TotalTrans Product URI Method AvgImpact DataOutage

 

How can I achieve this ?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-29-2024 03:56 AM

OK. You can't do something with the data you already removed in your search pipeline. So you can't do two separate stats commands with different aggregations and different sets of "by" fields. Either rewrite your search to have a more granular set ot the "by" fields (but if you get too many of them you might get too many results) and then later additionally summarize your events (for example using eventstats) or simply use two separate searches.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...