Thanks for the response
I'm not sure whether it down to the version of Splunk I am using , which is Splunk Version ...6.6.6.1, but the below line does not return any results
cs_dataowner_id="ICTO-18172" cs_stage="PROD" source="dqs" "FetchTradesHistoric invoked" | timechart span=15m count as calls by host
I have to use my original format below to get a resultset which it does for each host
cs_dataowner_id="ICTO-18172" cs_stage="PROD" |search source="dqs"| search "FetchTradesHistoric invoked"|timechart span=15m count as calls by host| eventstats max(calls) as max_calls min(calls) as min_calls avg(calls) as average_calls
To the above search if I then try to append the below again get no results is this a version or format issue ?
"| stats values(max_calls) as max_calls, values(min_calls) as min_calls, values(average_calls) as average_calls"
If I do the full search with the eval function included I get the syntax error below
"⚠ Error in 'stats' command: The eval expression for dynamic field 'eval(if(calls==max_calls), host, NULL)' is invalid. Error='The operator at ', host, NULL' is invalid.' "
... View more