Solved: Re: "Count Over" Statement not working

athorat · ‎01-29-2016

Hi ,
I am using two queries and then want to use the status from the first query and the DP_Time from the second query to display a chart.

I can get the count of both but cant use "by status" or "count over status" statement.

index="np_dpa" "*-api-monitor" PROXYNAME=mpgw_SMARTtrek* EventType="[request]" OR EventType="[error]" | eval status=case(EventType="[error]","Fail",EventType="[request]","Success")  

| append [search index=np_dpa PROXYNAME=mpgw_SMARTtrekTelematicsAPI latency| 
  eval Back_Time = abs(bs_conn_attempt-res_hdr_rec)/1000 | eval Req_Time = abs(req_transmitted-req_hdr_rd)/1000 | eval Resp_Time = abs(res_hdr_rec-res_transmitted)/1000 | eval Total_Time = abs(res_transmitted-req_hdr_rd)/1000 |eval DP_Time=abs(Req_Time  + Resp_Time)]

 |chart avg(DP_Time) count over status

masonmorales · ‎01-29-2016

Although status exists in both sets of results, DP_Time does not. So, when you do a stats function(field) by someotherfield, if someotherfield does not exist in both sets of results, you will get zero results.

View solution in original post

somesoni2 · ‎01-29-2016

How are both the result set related? Both status and DP_Time appear to be available in different events, so unless you've a common field correlating them, the graph you're looking is not possible.

athorat · ‎01-29-2016

@somesoni2 We have TID and Proxyname common between both the queries

masonmorales · ‎01-29-2016

Although status exists in both sets of results, DP_Time does not. So, when you do a stats function(field) by someotherfield, if someotherfield does not exist in both sets of results, you will get zero results.

athorat · ‎01-29-2016

instead of append can I join it some how?

"Count Over" Statement not working

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies