hi,
I am trying to combine results into two categories based of an eval statement.
The original query returns the results fine, but is slow because of large amount of results and extended time frame:
index=enc sourcetype=enc type=trace source=*123456*| eval Call = if(app_type="API", "sdk", "non-sdk") | stats count by Call
I tried the following with `tstats`, but none of them work, meaning displayed 0 results.
| tstats count from datamodel=Enc where sourcetype=trace Enc.type=TRACE Enc.cid=1234567 Enc.app_type=*
| `drop_dm_object_name("Enc")`
| eval Call=if(app_type=="API", "sdk","non-sdk")
| stats sum(count) by Call
AND
| tstats count from datamodel=Enc where sourcetype=enc-trace Enc.type=TRACE Enc.cid=1234567
| `drop_dm_object_name("Enc")`
| eval sdk=if(app_type="API",count,0), non-sdk=if(app_type!="API",count,0)
| stats sum(sdk) as SDK, sum(non-sdk) as NON-SDK
appreciate help and ideas from Splunkers.
Thanks
↧