Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is tstats command with eval not working on a p...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
I am trying to combine results into two categories based of an eval statement.
The original query returns the results fine, but is slow because of large amount of results and extended time frame:
index=enc sourcetype=enc type=trace source=*123456*| eval Call = if(app_type="API", "sdk", "non-sdk") | stats count by Call
I tried the following with tstats, but none of them work, meaning displayed 0 results.
| tstats count from datamodel=Enc where sourcetype=trace Enc.type=TRACE Enc.cid=1234567 Enc.app_type=*
| `drop_dm_object_name("Enc")`
| eval Call=if(app_type=="API", "sdk","non-sdk")
| stats sum(count) by Call
AND
| tstats count from datamodel=Enc where sourcetype=enc-trace Enc.type=TRACE Enc.cid=1234567
| `drop_dm_object_name("Enc")`
| eval sdk=if(app_type="API",count,0), non-sdk=if(app_type!="API",count,0)
| stats sum(sdk) as SDK, sum(non-sdk) as NON-SDK
appreciate help and ideas from Splunkers.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to get the results. Realized that we were not using the actual field app_type with GROUPBY in the tstats base search .. doing the following returned the expected results and I have validated them to be true.
| tstats count from datamodel=Enc where sourcetype=trace Enc.type=TRACE Enc.cid=1234567 GROUBPBY Enc.app_type
| drop_dm_object_name("Enc")
| eval Call=if(app_type=="API", "sdk","non-sdk")
| stats sum(count) by Call
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to get the results. Realized that we were not using the actual field app_type with GROUPBY in the tstats base search .. doing the following returned the expected results and I have validated them to be true.
| tstats count from datamodel=Enc where sourcetype=trace Enc.type=TRACE Enc.cid=1234567 GROUBPBY Enc.app_type
| drop_dm_object_name("Enc")
| eval Call=if(app_type=="API", "sdk","non-sdk")
| stats sum(count) by Call
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try adding prestats=true to your tstats commands.
Thats always needed if you're going to feed tstats into timechart, stats, etc.
For example:
| tstats prestats=true count from datamodel=Enc where sourcetype=trace Enc.type=TRACE Enc.cid=1234567 Enc.app_type=*
| drop_dm_object_name("Enc")
| eval Call=if(app_type=="API", "sdk","non-sdk")
| stats sum(count) by Call
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks jkat54.
adding prestats=true displays blank results with a single column non-sdk
| tstats prestats=true count from datamodel=Enc where sourcetype=trace Enc.type=TRACE Enc.cid=1234567 Enc.app_type=*
| drop_dm_object_name("Enc")
| eval Call=if(app_type=="API", "sdk","non-sdk")
| stats sum(count) by Call
results -
Call sum(count)
non-sdk
index=enc sourcetype=enc type=trace source=123456| eval Call = if(app_type="API", "sdk", "non-sdk") | stats count by Call
Call count
non-sdk 1144197
sdk 513994
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
