https://community.splunk.com/t5/Splunk-Search/use-of-tstats-instead-of-stats/m-p/456564#M129061 <P>i understand your point and it seems fields are not indexed , in this case what should be my approach?</P> <P>Because when i run the query with normal way i get "search auto finilized after disk usage limit reached to 1000MB" as when i check the sourcetype count its too huge -- 1566206536</P> <P>index=xyz sourcetype=abc <BR /> | fields TERM_SUBGRPG_CD ORIG_POINT_CD TERM_GRPG_CD DPC_CARRIER_LONG_NM CALLED_PARTY_NOA_CD DEST_POINT_CD DPC_TOLL_IND GENERIC_PORTED_SUBGRPG_CD OPC_CARRIER_LONG_NM OPC_CLLI_CD DPC_CLLI_CD SUM_BILL_TM_CNT SUM_NTWK_DURTN_CNT TOTAL_CALL_CNT DMS_FILE - _raw <BR /> | fillnull value=0 <BR /> | stats sum(SUM_BILL_TM_CNT) as SUM_BILL_TM_CNT,sum(SUM_NTWK_DURTN_CNT) as SUM_NTWK_DURTN_CNT, sum(TOTAL_CALL_CNT) as TOTAL_CALL_CNT by DPC_CARRIER_LONG_NM,CALLED_PARTY_NOA_CD DEST_POINT_CD, DPC_CLLI_CD, OPC_CLLI_CD,TERM_SUBGRPG_CD <BR /> | table OPC_CLLI_CD DPC_CARRIER_LONG_NM CALLED_PARTY_NOA_CD DEST_POINT_CD DPC_CLLI_CD TERM_SUBGRPG_CD SUM_BILL_TM_CNT SUM_NTWK_DURTN_CNT TOTAL_CALL_CNT <BR /> | sort 0 - SUM_BILL_TM_CNT</P> Wed, 30 Sep 2020 01:50:07 GMT vikashperiwal 2020-09-30T01:50:07Z https://community.splunk.com/t5/Splunk-Search/use-of-tstats-instead-of-stats/m-p/456559#M129056 <P>I am trying to iterate through 16million data and trying to use tstats instead of stats... please help me out in converting the stats query to tstats.<BR /> query</P> <P>index=xyz sourcetype=SUMMARY<BR /> | fields TERM_SUBGRPG_CD ORIG_POINT_CD TERM_GRPG_CD DPC_CARRIER_LONG_NM CALLED_PARTY_NOA_CD DEST_POINT_CD DPC_TOLL_IND GENERIC_PORTED_SUBGRPG_CD OPC_CARRIER_LONG_NM OPC_CLLI_CD DPC_CLLI_CD SUM_BILL_TM_CNT SUM_NTWK_DURTN_CNT TOTAL_CALL_CNT DMS_FILE - _raw <BR /> | fillnull value=0 <BR /> | stats sum(SUM_BILL_TM_CNT) as SUM_BILL_TM_CNT,sum(SUM_NTWK_DURTN_CNT) as SUM_NTWK_DURTN_CNT, sum(TOTAL_CALL_CNT) as TOTAL_CALL_CNT by DPC_CARRIER_LONG_NM,CALLED_PARTY_NOA_CD DEST_POINT_CD, DPC_CLLI_CD, OPC_CLLI_CD,TERM_SUBGRPG_CD <BR /> | table OPC_CLLI_CD DPC_CARRIER_LONG_NM CALLED_PARTY_NOA_CD DEST_POINT_CD DPC_CLLI_CD TERM_SUBGRPG_CD SUM_BILL_TM_CNT SUM_NTWK_DURTN_CNT TOTAL_CALL_CNT <BR /> | sort 0 - SUM_BILL_TM_CNT</P> Wed, 30 Sep 2020 01:49:40 GMT https://community.splunk.com/t5/Splunk-Search/use-of-tstats-instead-of-stats/m-p/456559#M129056 vikashperiwal 2020-09-30T01:49:40Z https://community.splunk.com/t5/Splunk-Search/use-of-tstats-instead-of-stats/m-p/456560#M129057 <P>Here's how it might look:</P> <PRE><CODE>| tstats sum(SUM_BILL_TM_CNT) as SUM_BILL_TM_CNT,sum(SUM_NTWK_DURTN_CNT) as SUM_NTWK_DURTN_CNT, sum(TOTAL_CALL_CNT) as TOTAL_CALL_CNT by DPC_CARRIER_LONG_NM,CALLED_PARTY_NOA_CD DEST_POINT_CD, DPC_CLLI_CD, OPC_CLLI_CD,TERM_SUBGRPG_CD where index=xyz sourcetype=SUMMARY | table OPC_CLLI_CD DPC_CARRIER_LONG_NM CALLED_PARTY_NOA_CD DEST_POINT_CD DPC_CLLI_CD TERM_SUBGRPG_CD SUM_BILL_TM_CNT SUM_NTWK_DURTN_CNT TOTAL_CALL_CNT | sort 0 - SUM_BILL_TM_CNT </CODE></PRE> <P>There are some caveats:<BR /> 1. <CODE>tstats</CODE> is a generating command so it must be first in the query.<BR /> 2. All fields referenced by <CODE>tstats</CODE> must be indexed. There is no search-time extraction of fields.<BR /> 3. <CODE>fillnull</CODE> cannot be used since it can't precede <CODE>tstats</CODE>.</P> Mon, 19 Aug 2019 13:58:28 GMT https://community.splunk.com/t5/Splunk-Search/use-of-tstats-instead-of-stats/m-p/456560#M129057 richgalloway 2019-08-19T13:58:28Z https://community.splunk.com/t5/Splunk-Search/use-of-tstats-instead-of-stats/m-p/456561#M129058 <P>Thanks for quick response.</P> <P>I tried the above approach but no luck, let me know if i am missing anything. I broke query into simple form.</P> <P>| tstats values(SUM_BILL_TM_CNT) where index=ndspr | stats sum(SUM_BILL_TM_CNT) as SUM_BILL_TM_CNT by DPC_CARRIER_LONG_NM,CALLED_PARTY_NOA_CD DEST_POINT_CD, DPC_CLLI_CD, OPC_CLLI_CD,TERM_SUBGRPG_CD <BR /> | table SUM_BILL_TM_CNT</P> <P>tstats--Here number of events --25,702,086 and output no results</P> <P>index=ndspr | stats sum(SUM_BILL_TM_CNT) as SUM_BILL_TM_CNT by DPC_CARRIER_LONG_NM,CALLED_PARTY_NOA_CD DEST_POINT_CD, DPC_CLLI_CD, OPC_CLLI_CD,TERM_SUBGRPG_CD </P> <P>| table SUM_BILL_TM_CNT--- same number of events and i am getting output.</P> Wed, 30 Sep 2020 01:49:45 GMT https://community.splunk.com/t5/Splunk-Search/use-of-tstats-instead-of-stats/m-p/456561#M129058 vikashperiwal 2020-09-30T01:49:45Z https://community.splunk.com/t5/Splunk-Search/use-of-tstats-instead-of-stats/m-p/456562#M129059 <P>| tstats values(SUM_BILL_TM_CNT) where index=ndspr | stats sum(SUM_BILL_TM_CNT) as SUM_BILL_TM_CNT by DPC_CARRIER_LONG_NM,CALLED_PARTY_NOA_CD DEST_POINT_CD, DPC_CLLI_CD, OPC_CLLI_CD,TERM_SUBGRPG_CD <BR /> | table SUM_BILL_TM_CNT</P> <P>As written the tstats command should return one statistic, the list of values(SUM_BILL_TM_CNT) as "values(SUM_BILL_TM_CNT)"</P> <P>Therefore the stats command is not getting any of the fields referenced. </P> <P>If the recommended tstats search doesnt return results:</P> <P>| tstats sum(SUM_BILL_TM_CNT) as SUM_BILL_TM_CNT,sum(SUM_NTWK_DURTN_CNT) as SUM_NTWK_DURTN_CNT, sum(TOTAL_CALL_CNT) as TOTAL_CALL_CNT by DPC_CARRIER_LONG_NM,CALLED_PARTY_NOA_CD DEST_POINT_CD, DPC_CLLI_CD, OPC_CLLI_CD,TERM_SUBGRPG_CD where index=xyz sourcetype=SUMMARY</P> <P>I would verify that all of the fields specified are INDEXED fields.</P> Wed, 30 Sep 2020 01:47:55 GMT https://community.splunk.com/t5/Splunk-Search/use-of-tstats-instead-of-stats/m-p/456562#M129059 solarboyz1 2020-09-30T01:47:55Z https://community.splunk.com/t5/Splunk-Search/use-of-tstats-instead-of-stats/m-p/456563#M129060 <P>You broke the query, but not into simple form. Queries should be broken at <CODE>|</CODE> characters only. Inserting extra commands doesn't help.<BR /> If the query in my answer doesn't work then it's probably because the fields used in the <CODE>tstats</CODE> command were not extracted at index time. <CODE>tstats</CODE> won't work otherwise.</P> Mon, 19 Aug 2019 19:27:44 GMT https://community.splunk.com/t5/Splunk-Search/use-of-tstats-instead-of-stats/m-p/456563#M129060 richgalloway 2019-08-19T19:27:44Z https://community.splunk.com/t5/Splunk-Search/use-of-tstats-instead-of-stats/m-p/456564#M129061 <P>i understand your point and it seems fields are not indexed , in this case what should be my approach?</P> <P>Because when i run the query with normal way i get "search auto finilized after disk usage limit reached to 1000MB" as when i check the sourcetype count its too huge -- 1566206536</P> <P>index=xyz sourcetype=abc <BR /> | fields TERM_SUBGRPG_CD ORIG_POINT_CD TERM_GRPG_CD DPC_CARRIER_LONG_NM CALLED_PARTY_NOA_CD DEST_POINT_CD DPC_TOLL_IND GENERIC_PORTED_SUBGRPG_CD OPC_CARRIER_LONG_NM OPC_CLLI_CD DPC_CLLI_CD SUM_BILL_TM_CNT SUM_NTWK_DURTN_CNT TOTAL_CALL_CNT DMS_FILE - _raw <BR /> | fillnull value=0 <BR /> | stats sum(SUM_BILL_TM_CNT) as SUM_BILL_TM_CNT,sum(SUM_NTWK_DURTN_CNT) as SUM_NTWK_DURTN_CNT, sum(TOTAL_CALL_CNT) as TOTAL_CALL_CNT by DPC_CARRIER_LONG_NM,CALLED_PARTY_NOA_CD DEST_POINT_CD, DPC_CLLI_CD, OPC_CLLI_CD,TERM_SUBGRPG_CD <BR /> | table OPC_CLLI_CD DPC_CARRIER_LONG_NM CALLED_PARTY_NOA_CD DEST_POINT_CD DPC_CLLI_CD TERM_SUBGRPG_CD SUM_BILL_TM_CNT SUM_NTWK_DURTN_CNT TOTAL_CALL_CNT <BR /> | sort 0 - SUM_BILL_TM_CNT</P> Wed, 30 Sep 2020 01:50:07 GMT https://community.splunk.com/t5/Splunk-Search/use-of-tstats-instead-of-stats/m-p/456564#M129061 vikashperiwal 2020-09-30T01:50:07Z https://community.splunk.com/t5/Splunk-Search/use-of-tstats-instead-of-stats/m-p/456565#M129062 <P>If you want to use tstats, I recommend creating a data model:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Aboutdatamodels">https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Aboutdatamodels</A></P> <P>That includes at minimum, the fields specified in your search. </P> Tue, 20 Aug 2019 14:00:42 GMT https://community.splunk.com/t5/Splunk-Search/use-of-tstats-instead-of-stats/m-p/456565#M129062 solarboyz1 2019-08-20T14:00:42Z