https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-use-the-tstats-command-with-a-fillnull/m-p/436150#M124328 <P>Hi @kamlesh_vaghela,</P> <P>It looks like only those fields we can use with tstats which is extracted at time of indexing, as I am running <CODE>walklex</CODE> on _internal index bucket and I can see <CODE>component</CODE> field in tsidx file so we can use that in tstats but not other fields like <CODE>bytes</CODE> from _internal index with above query (If we use datamodel then we can definitely use that <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> but without datamodel I think tstats limits with only fields which are extracted at index time)</P> Wed, 17 Oct 2018 15:51:34 GMT harsmarvania57 2018-10-17T15:51:34Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-use-the-tstats-command-with-a-fillnull/m-p/436148#M124326 <P>Greetings,</P> <P>So, I want to use the <CODE>tstats</CODE> command. It's super fast and efficient. But not if it's going to remove important results. Any record that happens to have just one null value at search time just gets eliminated from the count. That's important data to know.</P> <P>With classic search I would do this:</P> <PRE><CODE>index=* mysearch=* | fillnull value="null" field1 field2 (etc...) | stats count by field1 field2 (etc...) </CODE></PRE> <P>with this, I see my events, and if one shows up as "null" in a couple fields, well, I know it was empty!</P> <P>Can this be accomplished with the <CODE>tstats</CODE> command? Thank you so much.</P> <P>Sincerely,<BR /> A want-to-be tstats advocate</P> Tue, 16 Oct 2018 22:58:12 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-use-the-tstats-command-with-a-fillnull/m-p/436148#M124326 chris94089 2018-10-16T22:58:12Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-use-the-tstats-command-with-a-fillnull/m-p/436149#M124327 <P>@chris94089</P> <P>Can you please try this?</P> <PRE><CODE>|tstats count values(field1) as field1 values(field2) as field2 where index=YOUR_INDEX by _time | fillnull field1 field2 value="NULL" | stats sum(count) as count by field1 field2 </CODE></PRE> <P><STRONG>My Sample Search:</STRONG></P> <PRE><CODE>|tstats count values(component) as component where index=_internal by _time index | fillnull component value="NULL" | stats sum(count) as count by component </CODE></PRE> <P>Thanks</P> Wed, 17 Oct 2018 12:48:15 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-use-the-tstats-command-with-a-fillnull/m-p/436149#M124327 kamlesh_vaghela 2018-10-17T12:48:15Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-use-the-tstats-command-with-a-fillnull/m-p/436150#M124328 <P>Hi @kamlesh_vaghela,</P> <P>It looks like only those fields we can use with tstats which is extracted at time of indexing, as I am running <CODE>walklex</CODE> on _internal index bucket and I can see <CODE>component</CODE> field in tsidx file so we can use that in tstats but not other fields like <CODE>bytes</CODE> from _internal index with above query (If we use datamodel then we can definitely use that <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> but without datamodel I think tstats limits with only fields which are extracted at index time)</P> Wed, 17 Oct 2018 15:51:34 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-use-the-tstats-command-with-a-fillnull/m-p/436150#M124328 harsmarvania57 2018-10-17T15:51:34Z