Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Display Total transactions with overall count and without taking where clause events in consideration.

Gauri
Engager
‎07-26-2024 09:46 AM

I want to display total transactions without where condition in result with other fields which has specific where condition,

for.eg 

| eval
totalResponseTime=round(requestTimeinSec*1000),
| convert num("requestTimeinSec")

| rangemap field="totalResponseTime" "totalResponseTime"=0-3000
| rename range as RangetotalResponseTime
| eval totalResponseTimeabv3sec=round(requestTimeinSec*1000)

| rangemap field="totalResponseTimeabv3sec" "totalResponseTimeabv3sec"=3001-60000
| rename range as RangetotalResponseTimeabv3sec

| eval Product=case(
(like(proxyUri,"URI1") AND like(methodName,"POST"))OR
(like(proxyUri,"URI2") AND like(methodName,"GET"))OR
(like(proxyUri,"URI3") AND like(methodName,"GET")),"ABC")
| bin span=5m _time
| stats count(totalResponseTime) as TotalTrans
count(eval(RangetotalResponseTime="totalResponseTime")) as TS<3S
count(eval(RangetotalResponseTimeabv3sec="totalResponseTimeabv3sec")) as TS>3SS
by Product URI methodName _time

| eval TS<XS=case( Product="ABC",'TS<3S')

| eval TS>3S = 'TotalTrans'-'TS<XS'

| eval SLI=case(Product="ABC",round('TS<3S'/TotalTrans*100,4))

| rename methodName AS Method
| where (Product="ABC") and (SLI<99)

| stats sum(TS>3S) As AvgImpact
count(URI) as DataOutage
by Product URI Method

| fields Product URI Method TotalTrans SLI AvgImpact DataOutage

| sort Product URI Method
Labels (1)
Labels
0 Karma
Reply

KendallW
Contributor
‎07-29-2024 10:00 PM

Hi @Gauri you can use "|eventstats" instead of "|stats" to keep the data in the pipeline for the later "|stats" command:

 

 

| eval totalResponseTime=round(requestTimeinSec*1000) 
| convert num("requestTimeinSec") 
| rangemap field="totalResponseTime" "totalResponseTime"=0-3000 
| rename range as RangetotalResponseTime 
| eval totalResponseTimeabv3sec=round(requestTimeinSec*1000) 
| rangemap field="totalResponseTimeabv3sec" "totalResponseTimeabv3sec"=3001-60000 
| rename range as RangetotalResponseTimeabv3sec 
| eval Product=case(
    (like(proxyUri,"URI1") AND like(methodName,"POST")) OR
    (like(proxyUri,"URI2") AND like(methodName,"GET")) OR
    (like(proxyUri,"URI3") AND like(methodName,"GET")), "ABC") 
| bin span=5m _time 
| stats count(totalResponseTime) as TotalTrans by Product URI methodName _time 
| eventstats sum(eval(RangetotalResponseTime="totalResponseTime")) as TS<3S by Product URI methodName 
| eventstats sum(eval(RangetotalResponseTimeabv3sec="totalResponseTimeabv3sec")) as TS>3S by Product URI methodName 
| eval SLI=case(Product="ABC", round('TS<3S'/TotalTrans*100,4)) 
| rename methodName AS Method 
| where (Product="ABC") and (SLI<99) 
| stats sum(TS>3S) as AvgImpact count(URI) as DataOutage by Product URI Method 
| fields Product URI Method TotalTrans SLI AvgImpact DataOutage 
| sort Product URI Method

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-26-2024 10:01 AM

And what is the question?

0 Karma
Reply

Gauri
Engager
‎07-26-2024 10:09 AM

No value is getting displayed in TotalTrans field when I am running the given query.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-26-2024 10:17 AM

You can either start from the beginning adding subsequent commands to see when your results stop being what you wanted them to be or from the end - removing commands one by one untill your intermediate results start making sense.

0 Karma
Reply

Gauri
Engager
‎07-29-2024 03:32 AM

I am using two stats,

1. 1st stats has some fields filtered by _time 

      | stats count(totalResponseTime) as TotalTrans by Product URI methodName _time

2. 2nd stats has some fields filtered without time

    | stats sum(TS>3S) As AvgImpact
      count(URI) as DataOutage by Product URI Method 

I want the both stats fields to be displayed in the result.

for.eg , | fields TotalTrans Product URI Method AvgImpact DataOutage

 

How can I achieve this ?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-29-2024 03:56 AM

OK. You can't do something with the data you already removed in your search pipeline. So you can't do two separate stats commands with different aggregations and different sets of "by" fields. Either rewrite your search to have a more granular set ot the "by" fields (but if you get too many of them you might get too many results) and then later additionally summarize your events (for example using eventstats) or simply use two separate searches.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...