Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unable to get the statistics in one line

SG
Path Finder
‎03-15-2022 04:11 AM

HI, I wanted to see the results for each service in one line. But I see each hour in a different line as per the below screenshot. Can you please let me know what changes need to be done to get the results in one line even though we select multiple hrs in the time while doing the search?

My Search query - 

SG_0-1647342522297.png

index=*****
| stats list(service_calls) as service_calls list(service_errors) as service_errors list(service_error_rate) as service_error_rate by service

 

Thanks,

SG 

Labels (1)
Labels
0 Karma
Reply

SG
Path Finder
‎03-15-2022 05:43 AM

Apologies for not giving complete information about the question. Please find the same for below...

index=*** 
| stats count as service_calls, count(eval(status >= 400)) as service_errors by service
| eval service_error_rate = round((service_errors / service_calls) * 100,2)
| where service_error_rate > 0
| stats list(service_calls) as service_calls list(service_errors) as service_errors list(service_error_rate) as service_error_rate by service

The above query will give output as below if i search for 3 hrs. This data is taken from the original index where the logs are written to it directly from the server.

SG_0-1647347370242.png

Now i am writing these logs to a summary index by using below query

index=*** 
| stats count as service_calls, count(eval(status >= 400)) as service_errors by service
| eval service_error_rate = round((service_errors / service_calls) * 100,2)
| where service_error_rate > 0
| sistats list(service_calls) as service_calls list(service_errors) as service_errors list(service_error_rate) as service_error_rate by service

 

After writing the logs into summary index if i am searching for the data with this query for same time period i am getting data in multiple lines not as per the original data.

Search query in my summary index 

index= *** report=****
| stats list(service_calls) as service_calls list(service_errors) as service_errors list(service_error_rate) as service_error_rate by service

 

Results for the above query in multiple lines

SG_1-1647347920467.png

I scheduled report to run for every one hr, below are the details of schedule

SG_2-1647348081503.png

SG_3-1647348114793.png

With above data, can you please tell me what needs to be changed to get the data in single line like i get if i search for data in the original index.

 

Thanks,

SG

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-15-2022 07:16 AM

You are writing to the summary index every hour, one line per service

When you search the summary index, you are getting one result per our per service, so if your time period is now 3 hours (1am to 4am), you can expect to get upto 3 results per service.

if you just want to see the results from the summary index, don't use stats.

If you want to aggregate the results from the 3 hours, try summing them as I suggested. You might want to recalculate the error rate based on the sum of requests and sum of errors.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-15-2022 05:09 AM

Do you mean this?

index=*****
| stats sum(service_calls) as service_calls sum(service_errors) as service_errors sum(service_error_rate) as service_error_rate by service
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-15-2022 04:19 AM

Hi @SG,

sorry but I dont see the hours in your screenshot and search?

what are you meaning?

if you want to ungroup rows, you have to put the fields in list in the BY clause, something like this:

index=ghs_xapi_summary
| stats by service service_calls service_errors service_error_rate

Ciao.

Giuseppe

0 Karma
Reply

SG
Path Finder
‎03-20-2022 08:33 PM

I don't want to separate the data based on hrs. Thats the reason i didn't mention the time chart.

If i select one hr data comes in single row, but if i select more than one hr data comes as below in multiple rows.

 

SG_0-1647833616113.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-21-2022 12:50 AM

Hi @SG,

don't use list as option in the stats command, but sum or last, you can see the possible options at https://docs.splunk.com/Documentation/Splunk/8.2.5/SearchReference/Stats#Stats_function_options

Ciao.

Giuseppe

0 Karma
Reply

SG
Path Finder
‎03-22-2022 12:02 AM

HI,

If i use sum option i am not getting any data for my search...

SG_0-1647932076100.png

Below is my search schedule to write data to summary index - 

index=*** 
| eval endpoint=coalesce(Address_operation)
| eval endpoint_status = endpoint."-".status
| search NOT endpoint_status IN ("GetPointsDetails-404")
| convert num(status)
| sistats count as Total_service_calls, count(eval(status >= 400)) as service_errors by service

After writing the data to summary index i could see the logs in the summary index looks like below...

SG_1-1647932439445.png

Let me know if i am doing something wrong the way writing data to summary index.

 

Thanks,

SG

 

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-22-2022 01:05 AM

Hi @SG,

put table and collect commands at the end of your search

index=*** 
| eval endpoint=coalesce(Address_operation)
| eval endpoint_status = endpoint."-".status
| search NOT endpoint_status IN ("GetPointsDetails-404")
| convert num(status)
| sistats count as Total_service_calls, count(eval(status >= 400)) as service_errors by service
| table Total_service_calls service_errors service
| collect index=your_summary_index

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...