Re: How to get peakstats and a count of success an...

ashidhingra · ‎01-22-2024

How to get peakstats and a count of success and errors for a month in one table?

gcusello · ‎01-22-2024

the search depends on the data you have.

So supponing that the field with the traffic to monitor i "bytes" and the field with access and failed is "action" and that you want thes monitoring for each host, you could try something like this, for a month:

<your_search>
| stats
   max(bytes) AS peak
   count(eval(action="success")) AS success
   count(eval(action="failed")) AS failed
   BY host

Ciao.

Giuseppe

ashidhingra · ‎01-22-2024

I am getting the peak stats by bucket using this

<your_search>
| bucket span=1s _time 
| stats count by _time 
| timechart max(count) AS Peak_TPS span=1m

Some how the two Queries are not working together

gcusello · ‎01-22-2024

Hi @ashidhingra,

yes, because after a stats command you have only the fields in the stats, you shuld try something like this:

<your_search> earliest=-1mon latest=@mon
| bucket span=1s _time 
| stats 
   count 
   count(eval(action="success")) AS success
   count(eval(action="failed")) AS failed
   BY _time 
| stats
   max(count) AS Peak_TPS 
   sum(success) AS success
   sum(failed) AS failed

You cannot use timechart because in timechart you cannot have more fields

Ciao.

Giuseppe

How to get peakstats and a count of success and errors for a month in one table?

chart

eval

stats

table

timechart

tstats

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

How to get peakstats and a count of success and errors for a month in one table?