Splunk Search

TSTATS with count zero and APPENDCOLS error

New Member

Now i have a case:
- count call API "XXX/authen" (not session) by src_ip (1)
| tstats summariesonly count from datamodel=rest.rest where rest.uri="XXX/authen" by rest.src
- count session by src_ip (2)
| tstats summariesonly dc(rest.session) as dc_session from datamodel=rest.rest by rest.src

I use stats with appendcols + subsearch then OK,

index=XXX
| stats count(eval(uri="XXX/authen")) as count_uri by src
| appendcols
[search index=XXX
| stats dc(session) as dc_session by src
]

but use TSTATS fast, then error.
| tstats summariesonly count from datamodel=rest.rest where rest.uri="XXX/authen" by rest.src
| appendcols
[| tstats summariesonly dc(rest.session) as dc_session from datamodel=rest.rest by rest.src
]

Because TSTAST don't show src_ip have count zero then result of (1) , (2) are diffirent.

Please help me!

Tags (2)
0 Karma

New Member

Anyone admin help me ??

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!