Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Error in 'stats' command: The argument 'span=1min' is invalid.

dtapia
Explorer
‎03-27-2025 11:37 PM

Help: when i try to run the following a get Error in 'stats' command: The argument 'span=1min' is invalid.

index=transactions
tipo_transaccion="Retiro de Efectivo"
(emisor="VISA" AND tipo_cuenta="Crédito")
| eval is_authorized=if(codigo_respuesta=="00" OR codigo_respuesta=="000", 1, 0)
| eval is_declined=if(is_authorized==0 AND (codigo_respuesta!="91" AND codigo_respuesta!="68" AND codigo_respuesta!="timeout"), 1, 0)
| eval is_timeout=if(codigo_respuesta=="91" OR codigo_respuesta=="68" OR codigo_respuesta=="timeout", 1, 0)
| stats
count as total_txn,
sum(is_authorized) as authorized_txn,
sum(is_declined) as declined_txn,
sum(is_timeout) as timeout_txn,
sum(eval(is_authorized*importe)) as authorized_amount,
sum(eval(is_declined*importe)) as declined_amount,
sum(eval(is_timeout*importe)) as timeout_amount
by _time span="1min"

Please your support I really don't know what is causing the mistake
 
regards
Dtapia
Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-28-2025 02:56 AM

Hi @dtapia 

The `stats` command doesnt allow for a span with splitting by _time, instead you should either use timechart (which I believe would work in this case - just replace "stats" for "timechart") 

or you could use the `bin` command (`| bin _time span=1min` BEFORE the `stats` command then you can use | stats count..sum...etc.. BY _time (without the span) and it will be in 1 min blocks.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply

dtapia
Explorer
‎03-28-2025 10:27 PM

Hi @livehybrid, thank you so much for your feedback, they were very helpful in getting my Dashboard working in Splunk, thank you

Regards

DTapia

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-27-2025 11:54 PM

Hi @dtapia ,

as you can ead at https://docs.splunk.com/Documentation/Splunk/9.4.1/SearchReference/Stats you cannot use the span option in the stats command, it's possible to use it only in the tstats or timechart commands but not in stats.

In this case, you have to add a ne command bin or bucket before the ststs command, something like this:

index=transactions
tipo_transaccion="Retiro de Efectivo"
(emisor="VISA" AND tipo_cuenta="Crédito")
| eval is_authorized=if(codigo_respuesta=="00" OR codigo_respuesta=="000", 1, 0)
| eval is_declined=if(is_authorized==0 AND (codigo_respuesta!="91" AND codigo_respuesta!="68" AND codigo_respuesta!="timeout"), 1, 0)
| eval is_timeout=if(codigo_respuesta=="91" OR codigo_respuesta=="68" OR codigo_respuesta=="timeout", 1, 0)
| bin span=1m _time
| stats
count as total_txn,
sum(is_authorized) as authorized_txn,
sum(is_declined) as declined_txn,
sum(is_timeout) as timeout_txn,
sum(eval(is_authorized*importe)) as authorized_amount,
sum(eval(is_declined*importe)) as declined_amount,
sum(eval(is_timeout*importe)) as timeout_amount
by _time

 Ciao.

Giuseppe

Reply

dtapia
Explorer
‎03-28-2025 07:16 PM

Hello GCusello, 

thank you very much for the support, it worked very well

Regards

DTapia

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-30-2025 05:36 AM

Hi @dtapia ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...