Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to do a conditional count using tstats?

cramasta
Builder
‎04-16-2015 07:18 AM

Is it possible to do a conditional count using tstats? I'm trying use the following which is the syntax that I would use for a non tstats search, but it doesn't work. count(eval("Performance.duration" > 2500)) AS violation

Complete search:

| tstats  count(eval("Performance.duration" > 2500)) AS violation exactperc99("Performance.duration") AS "perc99"  from datamodel=PerformanceMetrics where (nodename = PerformanceMetricBaseSearch)  (PerformanceMetricBaseSearch.duration="*")   groupby PerformanceMetric _time span=15m
Reply

Kenshiro70
Path Finder
‎03-21-2018 08:31 AM

Here's how I did it without changing the data model.

My goal was to see what percentage of API calls returned in under 1 second and under 3 seconds.

| tstats summariesonly=t prestats=t count from datamodel=rest_api 
       BY object.apiName
| eval perfThreshold="Total"
| tstats summariesonly=t prestats=t append=t count from datamodel=rest_api 
       WHERE object.responseTime<=1000
       BY object.apiName
| eval perfThreshold=case(isnotnull(perfThreshold), perfThreshold, true(), "Below1sec")
| tstats summariesonly=t prestats=t append=t count from datamodel=rest_api 
       WHERE object.responseTime<=3000
       BY object.apiName
| eval perfThreshold=case(isnotnull(perfThreshold), perfThreshold, true(), "Below3sec")
| rename object.* as *
| chart count by apiName perfThreshold
| eval pctBelow1Sec=100 * Below1sec / Total
| eval pctBelow3Sec=100 * Below3sec / Total
| table apiName pctBelow1Sec pctBelow3Sec Total

Hope this helps.

0 Karma
Reply

cramasta
Builder
‎04-16-2015 07:43 AM

I have been able to do this with adding another tstats string using append=true, however curious if it can be done without having to do that

0 Karma
Reply

pwmcintyre
Explorer
‎10-24-2016 01:04 AM

@cramasta - do you think you could post an example?

0 Karma
Reply

sundareshr
Legend
‎10-24-2016 06:14 AM

One way you could try is add a new field to your datamodel. eval newfield=if("Performance.duration" > 2500, 1, 0) and in your search do | tstats sum(newfield) as violation

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...