Hi Team,
I am using following Spunk search, which will fetch the requests having status >=500 and sum the total errors and display the count of errors as error_rate.
(index=data) | eval error=if (httpstatus>=500, 1, 0) | stats sum(error) as error_rate
When I push the data to summary and I am trying to calculate the errors using below search, it is not giving me results.
index=summary | eval error=if (httpstatus >=500, 1, 0) | stats sum(error) as error_rate
Basically, stats sum() function
is not working on summary index, can you let us know, is there any workaround to make sum function on summary index?
A couple of things are needed to clear up your issue.
First what does the summary index search look like? Are you using an si-
command like sistats
? If so, can you share the last bits of the summary indexing search so that we can see the complete thing.
In general, if you are using an si
command for summary indexing, you have to use the corresponding non- si
command as the first operation when you query the summary index in your second search. So, if you are using sistats
to write to the summary index, you very likely do not have the field error
in the results after the query index=summary
. Instead, you have some crazy looking internal field names that Splunk uses to summarize the data.
Based on your comment below @smaran06, I think you would have to do your second query the following way (with stats
being the first thing after the initial search).
index=summary | stats count by httpstatus, method | eval error=if(httpstatus >=500, 1, 0) | stats sum(error) as error_rate
You may be able to slightly speed it up using the following where you remove "method", but you would want to double check this against the first query's results.
index=summary | stats count by httpstatus | eval error=if(httpstatus >=500, 1, 0) | stats sum(error) as error_rate
I am using sistats and query look as below
index= data application="applicationname" |sistats count by httpstatus,method
Then I would think that this query would work
index=summary | stats count by httpstatus | eval error=if(httpstatus >=500, 1, 0) | stats sum(error) as error_rate
After you run your summary index query, the only field available there is error_rate (plus other default summary index fields you may not be interested in). So in your summary index, what you should use is this
index=summary | stats sum(error_rate) as error_rate