Solved: Re: count(eval(execution-time)>1000) not working

VamshiBavu · ‎04-29-2024

when I run below query I am not able to get the sla_violation_count

index=* execution-time=* uri="v1/validatetoken" | stats count as total_calls, count(eval(execution-time > SLA)) as sla_violation_count

total_calls are displaying as 1 but not able to get sla_violation_count

pasting the results below for the reference

{ 
   datacenter: aus
   env: qa
   execution-time: 2145
   thread: http-nio-8080-exec-2
   uri: v1/validatetoken
   uriTemplate: v1/validatetoken
}

Thanks in advance

ITWhisperer · ‎04-29-2024

Try with the fieldname in single quotes

ndex=* execution-time=* uri="v1/validatetoken"  | stats count as total_calls, count(eval('execution-time' > SLA)) as sla_violation_count

ITWhisperer · ‎04-29-2024

Try with the fieldname in single quotes

ndex=* execution-time=* uri="v1/validatetoken"  | stats count as total_calls, count(eval('execution-time' > SLA)) as sla_violation_count

VamshiBavu · ‎04-29-2024

@ITWhisperer thank you ,you made my day

PickleRick · ‎04-29-2024

The stats(eval()) syntax can be confusing sometimes and is definitely underdocummented.

I don't like its implicit behaviour so I prefer doing stuff "the long way"

| eval is_sla_violated=if(execution-time > SLA,1,0)
| stats sum(is_sla_violated) as sla_violation_count

Of course instead of doing 1/0 and using sum you can do anything/null() and use count.

count(eval(execution-time)>1000) not working