Splunk Search

tstats web datamodel unable to use status in eval

eco_rb023
Engager

Hi,

ive been having issues with using eval commands with the status field from the Web datamodel specifically with the tstats command. Im trying to categorize the status field into failures and successes based on their value. I'm then taking the failures and successes and calculating the failure percentage and then alerting based on thresholds for the failures and failure percentage looking at a lookup of target sites. Example of the logic:

|tstats count(eval(Web.status>=400)) as failures count(eval(Web.status<400)) as successes values(Web.status) as status count FROM datamodel=Web WHERE [|inputlookup lookup.csv | fields Web.url] BY Web.src
|eval failure_percentage=round((if(failures=0, 0, (failures/count)*100)), 0)
|search failures>40 failure_perc>75

However, the logic runs into problems where it fails to fire the alert. When investigating, the logic doesnt count the failures and successes despite the status code clearly being within range to classify as one. This logic also worked fine about 2 weeks ago but suddenly seemed to stop working almost overnight. It can still fire into triggered alerts, but you can't run the logic over the timeframe of the triggered alert to check results.

To investigate the issue further, i modified the logic to work with the datamodel command instead of the tstats command:

|datamodel Web search
|search [|inputlookup lookup.csv | fields Web.url]
|stats count(eval(Web.status>=400)) as failures count(eval(Web.status<400)) as successes values(Web.status) as status count FROM datamodel=Web by Web.src
    |eval failure_percentage=round((if(failures=0, 0, (failures/count)*100)), 0)
    |search failures>40 failure_perc>75

Running this logic, the failures and successes populate like expected. Im not entirely sure why the logic seems to work fine with datamodel but not the tstats command. Does anyone have any idea why this logic seems to work with datamodel but not with tstats?

pmalcakdoj
Path Finder

it seems that you cannot perform eval logic inside tstats (not sure why)

eval logic works fine when inside stats, but not tstats

woodcock
Esteemed Legend

Your datamodel is no longer accelerated or your acceleration is incomplete for some reason. You will just have to dig into it.

0 Karma

Vijeta
Influencer

Did you check for the datamodel acceleration?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...