Why can't I compare if RESPTI is bigger than the U...

Stijn · ‎02-16-2023

source=PR1 sourcetype="sap:abap" EVENT_TYPE=STAD EVENT_SUBTYPE=MAIN (TCODE="ZORF_BOX_CLOSING") SYUCOMM="SICH_T" ACCOUNT=HRL*
| eval RESPTI = round(RESPTI/1000,2), DBCALLTI=round(DBCALLTI/1000,2)
| timechart avg(RESPTI) as "Average_Execution_Time" avg(DBCALLTI) as "Average_DB_Time" span=5m
| eval Average_Execution_Time = round(Average_Execution_Time,2), Average_DB_Time=round(Average_DB_Time,2)
| eventstats
| eval UCL='stdev(Average_Execution_Time)'+'mean(Average_Execution_Time)', UCL_DB='stdev(Average_DB_Time)'+'mean(Average_DB_Time)'
| eval day_of_week = strftime(_time,"%A")
| where day_of_week!= "Saturday" and day_of_week!= "Sunday"
| eval New_Field=if(RESPTI >= UCL, 1, 0)
| timechart sum(New_Field) span=$span$

This is the search that i am using. I am trying to get a barchart that show the amount of times that the RESPTI goes over the UCL. The problem that i am having is that i cannot compare if RESPTI is bigger than the UCL since it does not want to load in the value. if i try to table it like | table RESPTI, UCL, New_Field then RESPTI will just show up empty.

ITWhisperer · ‎02-16-2023

Your eventstats command appears to have no parameters.

Stijn · ‎02-16-2023

I coppied the original search from a dashboard that somebody else made. if i remove the eventstats the search does not work at all

ITWhisperer · ‎02-16-2023

eventstats requires at least one aggregation function which you don't appear to have (unless you aren't showing us the complete search?)

Why can't I compare if RESPTI is bigger than the UCL (since it does not want to load in the value)?

eval

timechart

BORE at .conf25

OpenTelemetry for Legacy Apps? Yes, You Can!

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

Are you a member of the Splunk Community?