- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to have stats sum() function...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my search to have stats sum() function to work correctly on summary index?
Hi Team,
I am using following Spunk search, which will fetch the requests having status >=500 and sum the total errors and display the count of errors as error_rate.
(index=data) | eval error=if (httpstatus>=500, 1, 0) | stats sum(error) as error_rate
When I push the data to summary and I am trying to calculate the errors using below search, it is not giving me results.
index=summary | eval error=if (httpstatus >=500, 1, 0) | stats sum(error) as error_rate
Basically, stats sum() function is not working on summary index, can you let us know, is there any workaround to make sum function on summary index?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A couple of things are needed to clear up your issue.
First what does the summary index search look like? Are you using an si- command like sistats? If so, can you share the last bits of the summary indexing search so that we can see the complete thing.
In general, if you are using an si command for summary indexing, you have to use the corresponding non- si command as the first operation when you query the summary index in your second search. So, if you are using sistats to write to the summary index, you very likely do not have the field error in the results after the query index=summary. Instead, you have some crazy looking internal field names that Splunk uses to summarize the data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Based on your comment below @smaran06, I think you would have to do your second query the following way (with stats being the first thing after the initial search).
index=summary | stats count by httpstatus, method | eval error=if(httpstatus >=500, 1, 0) | stats sum(error) as error_rate
You may be able to slightly speed it up using the following where you remove "method", but you would want to double check this against the first query's results.
index=summary | stats count by httpstatus | eval error=if(httpstatus >=500, 1, 0) | stats sum(error) as error_rate
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using sistats and query look as below
index= data application="applicationname" |sistats count by httpstatus,method
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then I would think that this query would work
index=summary | stats count by httpstatus | eval error=if(httpstatus >=500, 1, 0) | stats sum(error) as error_rate
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After you run your summary index query, the only field available there is error_rate (plus other default summary index fields you may not be interested in). So in your summary index, what you should use is this
index=summary | stats sum(error_rate) as error_rate
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
