Splunk Search

tstats with stats eval condition not displaying any results

nmohammed
Contributor

We are trying to run our monthly reports faster , for that we are using data models and tstats .

This is my original query, which would take days to run if I want monthly reports .. \

(sourcetype=error OR sourcetype=info client=*) |bucket _time span=1h | stats count as Total count(eval(sourcetype=="info")) as Calls count(eval(sourcetype=="error")) as Errors count(eval(exec_time_ms > 3000)) as Heavy by _time, client | eval QoS = round(((Total-Errors)/Total)*100, 3) | eval Perf = round((1-(Heavy/Calls))*100, 3)

we have implemented data models with acceleration and I have re-written the query using tstats :

| tstats count(ABC.exec_time) as exec_time FROM datamodel=ABC WHERE (sourcetype=error OR sourcetype=info) ABC.client=11222333 groupby _time span=1h |bucket _time span=1h | stats count as Total count(eval(sourcetype=="info")) as Calls count(eval(sourcetype=="error")) as Errors count(eval(exec_time > 3000)) as SlowCalls by _time | eval Performance = round((1-(SlowCalls/API_Calls))*100, 3) | table _time, Performance

The above query does not display any results for performance column in the table. Can someone help me identify, if something is wrong and needs correction?

pwmcintyre
Explorer

did you find your answer? I'm running into the same issue

0 Karma

fdi01
Motivator
| tstats count(ABC.exec_time) as exec_time FROM datamodel=ABC WHERE (sourcetype=error OR sourcetype=info) ABC.client=11222333 groupby _time span=1h |bucket _time span=1h | stats count as Total count(eval(sourcetype=="info")) as API_Calls count(eval(sourcetype=="error")) as Errors count(eval(exec_time > 3000)) as SlowCalls by _time | eval Performance = round((1-(SlowCalls/API_Calls))*100, 3) | table _time, Performance

or

...| stats count as Total count(eval(sourcetype=="info")) as Calls count(eval(sourcetype=="error")) as Errors count(eval(exec_time > 3000)) as SlowCalls by _time | eval Performance = round((1-(SlowCalls/Calls))*100, 3) | table _time, Performance
0 Karma

maciep
Champion

I think it always helps to start at the end and start removing pipes to see where you might be missing something. But at a quick glance, it looks like you're referencing a field called API_Calls, which I don't see defined anywhere in your search. So that would probably make your Performance eval fail and therefore why you have nothing in that field.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...