Splunk Search

Why am I unable to get results for the second stats in my search?

I have a log file with rows for each transaction in a request sequence, each identified by msg_id. I'm trying to get requests per second (RPS) and transactions per second (TPS). I can get one or the other, but am having trouble getting both. I think I'm missing something really obvious. Please help!

sourcetype=log
  | eval time=strftime( _time, "%Y-%m-%d %H:%M:%S" )
  | stats count AS countX BY time, msg_id
  | stats count AS RPS, sum( countX ) as TPS BY time

I get RPS, but no TPS.

I tried previously:

sourcetype=log
  | eval time=strftime( _time, "%Y-%m-%d %H:%M:%S" )
  | stats count AS TPS, dc( msg_id ) AS RPS  BY time

And that also didn't work (TPS, but no RPS).

Help!

0 Karma

SplunkTrust
SplunkTrust

Try removing the space in the stats function [use sum(countX)].

sourcetype=log
   | eval time=strftime( _time, "%Y-%m-%d %H:%M:%S" )
   | stats count AS countX BY time, msg_id
   | stats count AS RPS, sum(countX) as TPS BY time

Thanks. That worked!

That's a bug in my book.

0 Karma

Community Manager
Community Manager

Glad you found an answer through @somesoni2 Don't forget to resolve the post by clicking "Accept" directly below his answer, and also give him an upvote for helping you out.

0 Karma