Why can't I compare if RESPTI is bigger than the U...

Stijn · ‎02-16-2023

source=PR1 sourcetype="sap:abap" EVENT_TYPE=STAD EVENT_SUBTYPE=MAIN (TCODE="ZORF_BOX_CLOSING") SYUCOMM="SICH_T" ACCOUNT=HRL*
| eval RESPTI = round(RESPTI/1000,2), DBCALLTI=round(DBCALLTI/1000,2)
| timechart avg(RESPTI) as "Average_Execution_Time" avg(DBCALLTI) as "Average_DB_Time" span=5m
| eval Average_Execution_Time = round(Average_Execution_Time,2), Average_DB_Time=round(Average_DB_Time,2)
| eventstats
| eval UCL='stdev(Average_Execution_Time)'+'mean(Average_Execution_Time)', UCL_DB='stdev(Average_DB_Time)'+'mean(Average_DB_Time)'
| eval day_of_week = strftime(_time,"%A")
| where day_of_week!= "Saturday" and day_of_week!= "Sunday"
| eval New_Field=if(RESPTI >= UCL, 1, 0)
| timechart sum(New_Field) span=$span$

This is the search that i am using. I am trying to get a barchart that show the amount of times that the RESPTI goes over the UCL. The problem that i am having is that i cannot compare if RESPTI is bigger than the UCL since it does not want to load in the value. if i try to table it like | table RESPTI, UCL, New_Field then RESPTI will just show up empty.

ITWhisperer · ‎02-16-2023

Your eventstats command appears to have no parameters.

Stijn · ‎02-16-2023

I coppied the original search from a dashboard that somebody else made. if i remove the eventstats the search does not work at all

ITWhisperer · ‎02-16-2023

eventstats requires at least one aggregation function which you don't appear to have (unless you aren't showing us the complete search?)

Why can't I compare if RESPTI is bigger than the UCL (since it does not want to load in the value)?

eval

timechart

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability