Why is my stats command with timechart producing n...

brian38401 · ‎01-27-2016

My stats command is working, but when I pump it into timechart, it shows null values for fraction:

index=ide | stats count(eval(msgId=15)) as TIMEOUT,  count(eval(msgId=12)) as REQUEST, max(_time) as _time | eval fraction = TIMEOUT/REQUEST*100 | timechart max(fraction)

Any idea what I am missing here?

Thanks

jkat54 · ‎01-27-2016

You'll need a "by-clause" in the stats or timechart command. BY _time not AS _time. One creates a column, the other creates a row.. Timechart is looking for columns by rows of time.

Try these:

index=ide | stats count(eval(msgId=15)) as TIMEOUT, count(eval(msgId=12)) as REQUEST, max(_time) as _time |  eval fraction = TIMEOUT/REQUEST*100 | timechart max(fraction) by _time

index=ide | stats count(eval(msgId=15)) as TIMEOUT, count(eval(msgId=12)) as REQUEST, max(_time) as maxtime by _time |  eval fraction = TIMEOUT/REQUEST*100 | timechart max(fraction) 

index=ide | stats count(eval(msgId=15)) as TIMEOUT, count(eval(msgId=12)) as REQUEST by _time |  eval fraction = TIMEOUT/REQUEST*100 | timechart max(fraction) max(_time)

Wait, why are we getting max(_time)? Anytime you manipulate _time you cause problems. Problems that can be fixed but i'm just trying to understand why you need the maximum thereof.

Why is my stats command with timechart producing null values for a field?

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

First Steps with Splunk SOAR

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

Are you a member of the Splunk Community?

Why is my stats command with timechart producing null values for a field?

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

First Steps with Splunk SOAR

How To Build a Self-Service Observability Practice with Splunk Observability Cloud