Why am I unable to get results for the second stat...

David_Hodgson · ‎07-11-2016

I have a log file with rows for each transaction in a request sequence, each identified by msg_id. I'm trying to get requests per second (RPS) and transactions per second (TPS). I can get one or the other, but am having trouble getting both. I think I'm missing something really obvious. Please help!

sourcetype=log
  | eval time=strftime( _time, "%Y-%m-%d %H:%M:%S" )
  | stats count AS countX BY time, msg_id
  | stats count AS RPS, sum( countX ) as TPS BY time

I get RPS, but no TPS.

I tried previously:

sourcetype=log
  | eval time=strftime( _time, "%Y-%m-%d %H:%M:%S" )
  | stats count AS TPS, dc( msg_id ) AS RPS  BY time

And that also didn't work (TPS, but no RPS).

Help!

somesoni2 · ‎07-11-2016

Try removing the space in the stats function [use sum(countX)].

sourcetype=log
   | eval time=strftime( _time, "%Y-%m-%d %H:%M:%S" )
   | stats count AS countX BY time, msg_id
   | stats count AS RPS, sum(countX) as TPS BY time

David_Hodgson · ‎07-11-2016

Thanks. That worked!

That's a bug in my book.

ppablo · ‎07-11-2016

Glad you found an answer through @somesoni2 Don't forget to resolve the post by clicking "Accept" directly below his answer, and also give him an upvote for helping you out.

Why am I unable to get results for the second stats in my search?

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Join the Conversation

Why am I unable to get results for the second stats in my search?

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!