Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is it possible to do a conditional count using tst...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to do a conditional count using tstats?
cramasta
Builder
04-16-2015
07:18 AM
Is it possible to do a conditional count using tstats? I'm trying use the following which is the syntax that I would use for a non tstats search, but it doesn't work. count(eval("Performance.duration" > 2500)) AS violation
Complete search:
| tstats count(eval("Performance.duration" > 2500)) AS violation exactperc99("Performance.duration") AS "perc99" from datamodel=PerformanceMetrics where (nodename = PerformanceMetricBaseSearch) (PerformanceMetricBaseSearch.duration="*") groupby PerformanceMetric _time span=15m
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kenshiro70
Path Finder
03-21-2018
08:31 AM
Here's how I did it without changing the data model.
My goal was to see what percentage of API calls returned in under 1 second and under 3 seconds.
| tstats summariesonly=t prestats=t count from datamodel=rest_api
BY object.apiName
| eval perfThreshold="Total"
| tstats summariesonly=t prestats=t append=t count from datamodel=rest_api
WHERE object.responseTime<=1000
BY object.apiName
| eval perfThreshold=case(isnotnull(perfThreshold), perfThreshold, true(), "Below1sec")
| tstats summariesonly=t prestats=t append=t count from datamodel=rest_api
WHERE object.responseTime<=3000
BY object.apiName
| eval perfThreshold=case(isnotnull(perfThreshold), perfThreshold, true(), "Below3sec")
| rename object.* as *
| chart count by apiName perfThreshold
| eval pctBelow1Sec=100 * Below1sec / Total
| eval pctBelow3Sec=100 * Below3sec / Total
| table apiName pctBelow1Sec pctBelow3Sec Total
Hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cramasta
Builder
04-16-2015
07:43 AM
I have been able to do this with adding another tstats string using append=true, however curious if it can be done without having to do that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pwmcintyre
Explorer
10-24-2016
01:04 AM
@cramasta - do you think you could post an example?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
10-24-2016
06:14 AM
One way you could try is add a new field to your datamodel. eval newfield=if("Performance.duration" > 2500, 1, 0) and in your search do | tstats sum(newfield) as violation
Get Updates on the Splunk Community!
Data Management Digest – December 2025
Welcome to the December edition of Data Management Digest!
As we continue our journey of data innovation, the ...
Index This | What is broken 80% of the time by February?
December 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Hello Splunk Community,
We're thrilled to share an exciting update that will help you manage your data more ...
