Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to convert my two searches into tstats searches?

Robel206
New Member
‎01-25-2017 02:02 PM

Hey everyone,

I need a little assistance converting these 2 searches (one is a pivot search) I have into tstats searches.

  1. | pivot Expweb_Tracelog_Service Service_Events count(Service_Events) AS "Count of Service_Events" SPLITROW _time AS _time PERIOD auto SPLITCOL eventName FILTER eventName is service:SoftvoyageService* FILTER success is false SORT 100 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1

  2. index = exp sourcetype = expwebtracelog splunk_server_group = ewe host = cheXwbtexweb10* eventName=service:SoftvoyageService* OR eventName=ThreePP* | stats count AS Total count(eval(success="true")) AS Successful count(eval(success="false")) AS Failed by eventName | eval "SuccessPercent"=(Total-Failed)/Total*100

Thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎01-26-2017 03:21 AM

You'll only be able to use tstats if the fields are indexed. By default, that is host, source, sourcetype and _time. If eventName and success are search time fields then you will not be able to use tstats.

You can quickly check by running the following search

| tstats count WHERE sourcetype = expwebtracelog (eventName=* OR success=*) by eventName,success

If you get no results then these are not indexed fields.

If your data model is accelerated you might be able to use tstats for your first query, try 

| tstats prestats=t count(Service_Events)  WHERE eventName=service:SoftvoyageService* AND success=false FROM Expweb_Tracelog_Service Service_Events by _time | timechart AS count(Service_Events) "Count of Service_Events" | head 100

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎01-26-2017 03:21 AM

You'll only be able to use tstats if the fields are indexed. By default, that is host, source, sourcetype and _time. If eventName and success are search time fields then you will not be able to use tstats.

You can quickly check by running the following search

| tstats count WHERE sourcetype = expwebtracelog (eventName=* OR success=*) by eventName,success

If you get no results then these are not indexed fields.

If your data model is accelerated you might be able to use tstats for your first query, try 

| tstats prestats=t count(Service_Events)  WHERE eventName=service:SoftvoyageService* AND success=false FROM Expweb_Tracelog_Service Service_Events by _time | timechart AS count(Service_Events) "Count of Service_Events" | head 100
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...