Re: How to get peakstats and a count of success an...

ashidhingra · ‎01-22-2024

How to get peakstats and a count of success and errors for a month in one table?

gcusello · ‎01-22-2024

the search depends on the data you have.

So supponing that the field with the traffic to monitor i "bytes" and the field with access and failed is "action" and that you want thes monitoring for each host, you could try something like this, for a month:

<your_search>
| stats
   max(bytes) AS peak
   count(eval(action="success")) AS success
   count(eval(action="failed")) AS failed
   BY host

Ciao.

Giuseppe

ashidhingra · ‎01-22-2024

I am getting the peak stats by bucket using this

<your_search>
| bucket span=1s _time 
| stats count by _time 
| timechart max(count) AS Peak_TPS span=1m

Some how the two Queries are not working together

gcusello · ‎01-22-2024

Hi @ashidhingra,

yes, because after a stats command you have only the fields in the stats, you shuld try something like this:

<your_search> earliest=-1mon latest=@mon
| bucket span=1s _time 
| stats 
   count 
   count(eval(action="success")) AS success
   count(eval(action="failed")) AS failed
   BY _time 
| stats
   max(count) AS Peak_TPS 
   sum(success) AS success
   sum(failed) AS failed

You cannot use timechart because in timechart you cannot have more fields

Ciao.

Giuseppe

How to get peakstats and a count of success and errors for a month in one table?

chart

eval

stats

table

timechart

tstats

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk