Splunk Search

tstats web datamodel unable to use status in eval

Engager

Hi,

ive been having issues with using eval commands with the status field from the Web datamodel specifically with the tstats command. Im trying to categorize the status field into failures and successes based on their value. I'm then taking the failures and successes and calculating the failure percentage and then alerting based on thresholds for the failures and failure percentage looking at a lookup of target sites. Example of the logic:

|tstats count(eval(Web.status>=400)) as failures count(eval(Web.status<400)) as successes values(Web.status) as status count FROM datamodel=Web WHERE [|inputlookup lookup.csv | fields Web.url] BY Web.src
|eval failure_percentage=round((if(failures=0, 0, (failures/count)*100)), 0)
|search failures>40 failure_perc>75

However, the logic runs into problems where it fails to fire the alert. When investigating, the logic doesnt count the failures and successes despite the status code clearly being within range to classify as one. This logic also worked fine about 2 weeks ago but suddenly seemed to stop working almost overnight. It can still fire into triggered alerts, but you can't run the logic over the timeframe of the triggered alert to check results.

To investigate the issue further, i modified the logic to work with the datamodel command instead of the tstats command:

|datamodel Web search
|search [|inputlookup lookup.csv | fields Web.url]
|stats count(eval(Web.status>=400)) as failures count(eval(Web.status<400)) as successes values(Web.status) as status count FROM datamodel=Web by Web.src
    |eval failure_percentage=round((if(failures=0, 0, (failures/count)*100)), 0)
    |search failures>40 failure_perc>75

Running this logic, the failures and successes populate like expected. Im not entirely sure why the logic seems to work fine with datamodel but not the tstats command. Does anyone have any idea why this logic seems to work with datamodel but not with tstats?

Path Finder

it seems that you cannot perform eval logic inside tstats (not sure why)

eval logic works fine when inside stats, but not tstats

Esteemed Legend

Your datamodel is no longer accelerated or your acceleration is incomplete for some reason. You will just have to dig into it.

0 Karma

Influencer

Did you check for the datamodel acceleration?

0 Karma