Solved: "Count Over" Statement not working

athorat · ‎01-29-2016

Hi ,
I am using two queries and then want to use the status from the first query and the DP_Time from the second query to display a chart.

I can get the count of both but cant use "by status" or "count over status" statement.

index="np_dpa" "*-api-monitor" PROXYNAME=mpgw_SMARTtrek* EventType="[request]" OR EventType="[error]" | eval status=case(EventType="[error]","Fail",EventType="[request]","Success")  

| append [search index=np_dpa PROXYNAME=mpgw_SMARTtrekTelematicsAPI latency| 
  eval Back_Time = abs(bs_conn_attempt-res_hdr_rec)/1000 | eval Req_Time = abs(req_transmitted-req_hdr_rd)/1000 | eval Resp_Time = abs(res_hdr_rec-res_transmitted)/1000 | eval Total_Time = abs(res_transmitted-req_hdr_rd)/1000 |eval DP_Time=abs(Req_Time  + Resp_Time)]

 |chart avg(DP_Time) count over status

masonmorales · ‎01-29-2016

Although status exists in both sets of results, DP_Time does not. So, when you do a stats function(field) by someotherfield, if someotherfield does not exist in both sets of results, you will get zero results.

View solution in original post

somesoni2 · ‎01-29-2016

How are both the result set related? Both status and DP_Time appear to be available in different events, so unless you've a common field correlating them, the graph you're looking is not possible.

athorat · ‎01-29-2016

@somesoni2 We have TID and Proxyname common between both the queries

masonmorales · ‎01-29-2016

Although status exists in both sets of results, DP_Time does not. So, when you do a stats function(field) by someotherfield, if someotherfield does not exist in both sets of results, you will get zero results.

athorat · ‎01-29-2016

instead of append can I join it some how?

"Count Over" Statement not working

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!