We are trying to run our monthly reports faster , for that we are using data models and tstats .
This is my original query, which would take days to run if I want monthly reports .. \
(sourcetype=error OR sourcetype=info client=*) |bucket _time span=1h | stats count as Total count(eval(sourcetype=="info")) as Calls count(eval(sourcetype=="error")) as Errors count(eval(exec_time_ms > 3000)) as Heavy by _time, client | eval QoS = round(((Total-Errors)/Total)*100, 3) | eval Perf = round((1-(Heavy/Calls))*100, 3)
we have implemented data models with acceleration and I have re-written the query using tstats :
| tstats count(ABC.exec_time) as exec_time FROM datamodel=ABC WHERE (sourcetype=error OR sourcetype=info) ABC.client=11222333 groupby _time span=1h |bucket _time span=1h | stats count as Total count(eval(sourcetype=="info")) as Calls count(eval(sourcetype=="error")) as Errors count(eval(exec_time > 3000)) as SlowCalls by _time | eval Performance = round((1-(SlowCalls/API_Calls))*100, 3) | table _time, Performance
The above query does not display any results for performance column in the table. Can someone help me identify, if something is wrong and needs correction?
did you find your answer? I'm running into the same issue
| tstats count(ABC.exec_time) as exec_time FROM datamodel=ABC WHERE (sourcetype=error OR sourcetype=info) ABC.client=11222333 groupby _time span=1h |bucket _time span=1h | stats count as Total count(eval(sourcetype=="info")) as API_Calls count(eval(sourcetype=="error")) as Errors count(eval(exec_time > 3000)) as SlowCalls by _time | eval Performance = round((1-(SlowCalls/API_Calls))*100, 3) | table _time, Performance
or
...| stats count as Total count(eval(sourcetype=="info")) as Calls count(eval(sourcetype=="error")) as Errors count(eval(exec_time > 3000)) as SlowCalls by _time | eval Performance = round((1-(SlowCalls/Calls))*100, 3) | table _time, Performance
I think it always helps to start at the end and start removing pipes to see where you might be missing something. But at a quick glance, it looks like you're referencing a field called API_Calls, which I don't see defined anywhere in your search. So that would probably make your Performance eval fail and therefore why you have nothing in that field.