Re: How can I find results only iff the previous q...

yk010123 · ‎04-19-2023

I calculate the requests per second for my application using the following query:

method!=GET process="start"
| timechart count by region limit=0
| timechart per_second(*)

I also calculate the number of errors my application is producing using the following separate query

process=end AND status=500
| timechart count
| timechart per_second(*)

I am trying to find a query that will answer when my application "breaks", or in other words, what is the requests per second that causes my application to have more than N errors

yeahnah · ‎04-19-2023

Hi @yk010123

It usually easier to help when there are some example events provided, but based on what you've shown in the SPL something like this should work

(method!=GET process="start") OR (process=end AND status=500)
| eval region=coalesce(region, "none") ``` account for end event not having a region ```
      ,type=if(process="start", "start", "end")
| stats count BY _time type region
| timechart span=1m
    sum(eval(type="start")) AS start
    sum(eval(type="end")) AS end
  BY region
| timechart per_second(*)

One query that combines the results into one table/graph.

Hope it helps

How can I find results only iff the previous queries returns results?

chart

lookup

subsearch

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Are you a member of the Splunk Community?