Hey everyone,
I need a little assistance converting these 2 searches (one is a pivot search) I have into tstats
searches.
| pivot Expweb_Tracelog_Service Service_Events count(Service_Events) AS "Count of Service_Events" SPLITROW _time AS _time PERIOD auto SPLITCOL eventName FILTER eventName is service:SoftvoyageService* FILTER success is false SORT 100 _time ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 100 SHOWOTHER 1
index = exp sourcetype = expwebtracelog splunk_server_group = ewe host = cheXwbtexweb10* eventName=service:SoftvoyageService* OR eventName=ThreePP* | stats count AS Total count(eval(success="true")) AS Successful count(eval(success="false")) AS Failed by eventName | eval "SuccessPercent"=(Total-Failed)/Total*100
Thanks,
You'll only be able to use tstats if the fields are indexed. By default, that is host, source, sourcetype and _time. If eventName and success are search time fields then you will not be able to use tstats.
You can quickly check by running the following search
| tstats count WHERE sourcetype = expwebtracelog (eventName=* OR success=*) by eventName,success
If you get no results then these are not indexed fields.
If your data model is accelerated you might be able to use tstats for your first query, try
| tstats prestats=t count(Service_Events) WHERE eventName=service:SoftvoyageService* AND success=false FROM Expweb_Tracelog_Service Service_Events by _time | timechart AS count(Service_Events) "Count of Service_Events" | head 100
You'll only be able to use tstats if the fields are indexed. By default, that is host, source, sourcetype and _time. If eventName and success are search time fields then you will not be able to use tstats.
You can quickly check by running the following search
| tstats count WHERE sourcetype = expwebtracelog (eventName=* OR success=*) by eventName,success
If you get no results then these are not indexed fields.
If your data model is accelerated you might be able to use tstats for your first query, try
| tstats prestats=t count(Service_Events) WHERE eventName=service:SoftvoyageService* AND success=false FROM Expweb_Tracelog_Service Service_Events by _time | timechart AS count(Service_Events) "Count of Service_Events" | head 100