Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Error in 'stats' command: The argument 'span=1min' is invalid.

dtapia
Explorer
‎03-27-2025 11:37 PM

Help: when i try to run the following a get Error in 'stats' command: The argument 'span=1min' is invalid.

index=transactions
tipo_transaccion="Retiro de Efectivo"
(emisor="VISA" AND tipo_cuenta="Crédito")
| eval is_authorized=if(codigo_respuesta=="00" OR codigo_respuesta=="000", 1, 0)
| eval is_declined=if(is_authorized==0 AND (codigo_respuesta!="91" AND codigo_respuesta!="68" AND codigo_respuesta!="timeout"), 1, 0)
| eval is_timeout=if(codigo_respuesta=="91" OR codigo_respuesta=="68" OR codigo_respuesta=="timeout", 1, 0)
| stats
count as total_txn,
sum(is_authorized) as authorized_txn,
sum(is_declined) as declined_txn,
sum(is_timeout) as timeout_txn,
sum(eval(is_authorized*importe)) as authorized_amount,
sum(eval(is_declined*importe)) as declined_amount,
sum(eval(is_timeout*importe)) as timeout_amount
by _time span="1min"

Please your support I really don't know what is causing the mistake
 
regards
Dtapia
Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-28-2025 02:56 AM

Hi @dtapia 

The `stats` command doesnt allow for a span with splitting by _time, instead you should either use timechart (which I believe would work in this case - just replace "stats" for "timechart") 

or you could use the `bin` command (`| bin _time span=1min` BEFORE the `stats` command then you can use | stats count..sum...etc.. BY _time (without the span) and it will be in 1 min blocks.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply

dtapia
Explorer
‎03-28-2025 10:27 PM

Hi @livehybrid, thank you so much for your feedback, they were very helpful in getting my Dashboard working in Splunk, thank you

Regards

DTapia

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-27-2025 11:54 PM

Hi @dtapia ,

as you can ead at https://docs.splunk.com/Documentation/Splunk/9.4.1/SearchReference/Stats you cannot use the span option in the stats command, it's possible to use it only in the tstats or timechart commands but not in stats.

In this case, you have to add a ne command bin or bucket before the ststs command, something like this:

index=transactions
tipo_transaccion="Retiro de Efectivo"
(emisor="VISA" AND tipo_cuenta="Crédito")
| eval is_authorized=if(codigo_respuesta=="00" OR codigo_respuesta=="000", 1, 0)
| eval is_declined=if(is_authorized==0 AND (codigo_respuesta!="91" AND codigo_respuesta!="68" AND codigo_respuesta!="timeout"), 1, 0)
| eval is_timeout=if(codigo_respuesta=="91" OR codigo_respuesta=="68" OR codigo_respuesta=="timeout", 1, 0)
| bin span=1m _time
| stats
count as total_txn,
sum(is_authorized) as authorized_txn,
sum(is_declined) as declined_txn,
sum(is_timeout) as timeout_txn,
sum(eval(is_authorized*importe)) as authorized_amount,
sum(eval(is_declined*importe)) as declined_amount,
sum(eval(is_timeout*importe)) as timeout_amount
by _time

 Ciao.

Giuseppe

Reply

dtapia
Explorer
‎03-28-2025 07:16 PM

Hello GCusello, 

thank you very much for the support, it worked very well

Regards

DTapia

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-30-2025 05:36 AM

Hi @dtapia ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...