Solved: "Count Over" Statement not working

athorat · ‎01-29-2016

Hi ,
I am using two queries and then want to use the status from the first query and the DP_Time from the second query to display a chart.

I can get the count of both but cant use "by status" or "count over status" statement.

index="np_dpa" "*-api-monitor" PROXYNAME=mpgw_SMARTtrek* EventType="[request]" OR EventType="[error]" | eval status=case(EventType="[error]","Fail",EventType="[request]","Success")  

| append [search index=np_dpa PROXYNAME=mpgw_SMARTtrekTelematicsAPI latency| 
  eval Back_Time = abs(bs_conn_attempt-res_hdr_rec)/1000 | eval Req_Time = abs(req_transmitted-req_hdr_rd)/1000 | eval Resp_Time = abs(res_hdr_rec-res_transmitted)/1000 | eval Total_Time = abs(res_transmitted-req_hdr_rd)/1000 |eval DP_Time=abs(Req_Time  + Resp_Time)]

 |chart avg(DP_Time) count over status

masonmorales · ‎01-29-2016

Although status exists in both sets of results, DP_Time does not. So, when you do a stats function(field) by someotherfield, if someotherfield does not exist in both sets of results, you will get zero results.

View solution in original post

somesoni2 · ‎01-29-2016

How are both the result set related? Both status and DP_Time appear to be available in different events, so unless you've a common field correlating them, the graph you're looking is not possible.

athorat · ‎01-29-2016

@somesoni2 We have TID and Proxyname common between both the queries

masonmorales · ‎01-29-2016

Although status exists in both sets of results, DP_Time does not. So, when you do a stats function(field) by someotherfield, if someotherfield does not exist in both sets of results, you will get zero results.

athorat · ‎01-29-2016

instead of append can I join it some how?

"Count Over" Statement not working

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform