Splunk Search

Why can't I compare if RESPTI is bigger than the UCL (since it does not want to load in the value)?

Stijn
Loves-to-Learn

source=PR1 sourcetype="sap:abap" EVENT_TYPE=STAD EVENT_SUBTYPE=MAIN (TCODE="ZORF_BOX_CLOSING") SYUCOMM="SICH_T" ACCOUNT=HRL*
| eval RESPTI = round(RESPTI/1000,2), DBCALLTI=round(DBCALLTI/1000,2)
| timechart avg(RESPTI) as "Average_Execution_Time" avg(DBCALLTI) as "Average_DB_Time" span=5m
| eval Average_Execution_Time = round(Average_Execution_Time,2), Average_DB_Time=round(Average_DB_Time,2)
| eventstats
| eval UCL='stdev(Average_Execution_Time)'+'mean(Average_Execution_Time)', UCL_DB='stdev(Average_DB_Time)'+'mean(Average_DB_Time)'
| eval day_of_week = strftime(_time,"%A")
| where day_of_week!= "Saturday" and day_of_week!= "Sunday"
| eval New_Field=if(RESPTI >= UCL, 1, 0)
| timechart sum(New_Field) span=$span$

This is the search that i am using. I am trying to get a barchart that show the amount of times that the RESPTI goes over the UCL. The problem that i am having is that i cannot compare if RESPTI is bigger than the UCL since it does not want to load in the value. if i try to table it like | table RESPTI, UCL, New_Field then RESPTI will just show up empty.

Labels (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Your eventstats command appears to have no parameters.

0 Karma

Stijn
Loves-to-Learn

I coppied the original search from a dashboard that somebody else made. if i remove the eventstats the search does not work at all

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

eventstats requires at least one aggregation function which you don't appear to have (unless you aren't showing us the complete search?)

0 Karma
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...