Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

tstats with stats eval condition not displaying any results

nmohammed
Builder
‎03-09-2016 12:14 PM

We are trying to run our monthly reports faster , for that we are using data models and tstats .

This is my original query, which would take days to run if I want monthly reports .. \

(sourcetype=error OR sourcetype=info client=*) |bucket _time span=1h | stats count as Total count(eval(sourcetype=="info")) as Calls count(eval(sourcetype=="error")) as Errors count(eval(exec_time_ms > 3000)) as Heavy by _time, client | eval QoS = round(((Total-Errors)/Total)*100, 3) | eval Perf = round((1-(Heavy/Calls))*100, 3)

we have implemented data models with acceleration and I have re-written the query using tstats :

| tstats count(ABC.exec_time) as exec_time FROM datamodel=ABC WHERE (sourcetype=error OR sourcetype=info) ABC.client=11222333 groupby _time span=1h |bucket _time span=1h | stats count as Total count(eval(sourcetype=="info")) as Calls count(eval(sourcetype=="error")) as Errors count(eval(exec_time > 3000)) as SlowCalls by _time | eval Performance = round((1-(SlowCalls/API_Calls))*100, 3) | table _time, Performance

The above query does not display any results for performance column in the table. Can someone help me identify, if something is wrong and needs correction?

Reply

pwmcintyre
Explorer
‎10-24-2016 01:06 AM

did you find your answer? I'm running into the same issue

0 Karma
Reply

fdi01
Motivator
‎03-11-2016 02:10 AM 
| tstats count(ABC.exec_time) as exec_time FROM datamodel=ABC WHERE (sourcetype=error OR sourcetype=info) ABC.client=11222333 groupby _time span=1h |bucket _time span=1h | stats count as Total count(eval(sourcetype=="info")) as API_Calls count(eval(sourcetype=="error")) as Errors count(eval(exec_time > 3000)) as SlowCalls by _time | eval Performance = round((1-(SlowCalls/API_Calls))*100, 3) | table _time, Performance

or 

...| stats count as Total count(eval(sourcetype=="info")) as Calls count(eval(sourcetype=="error")) as Errors count(eval(exec_time > 3000)) as SlowCalls by _time | eval Performance = round((1-(SlowCalls/Calls))*100, 3) | table _time, Performance
0 Karma
Reply

maciep
Champion
‎03-10-2016 03:26 PM

I think it always helps to start at the end and start removing pipes to see where you might be missing something. But at a quick glance, it looks like you're referencing a field called API_Calls, which I don't see defined anywhere in your search. So that would probably make your Performance eval fail and therefore why you have nothing in that field.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...