topic Re: tstats, no using stats-function-field, using row-field. in Splunk Search

tstats, no using stats-function-field, using row-field.

nasha430 — Fri, 28 May 2021 09:07:24 GMT

Hi,

I use tstats, but tstats use required argument ( stats-func ).
I want to write SPL.

| tstats summariesonly=t <field1>, <field2> FROM datamodel=<datamodel-name> BY <field3>

| dedup <field1>
| stats sum(<field2>) by <fields1>

Is this possible??

datamodel acceleration is done.
I'm looking for manual for this,but I don't detect manual about tstats.

Re: tstats, no using stats-function-field, using row-field.

aasabatini — Fri, 28 May 2021 09:53:02 GMT

Hi @nasha430

absolutely yes!

below you can find my example, I used authentication datamodel

hope can help

| tstats `summariesonly` values(Authentication.app) as app,values(Authentication.user) as user, count from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action,Authentication.src | dedup user | stats sum(user) by app

Re: tstats, no using stats-function-field, using row-field.

nasha430 — Sun, 30 May 2021 23:57:00 GMT

@aasabatini Thanks you, your message.

but I want to see field, not stats field.
Based on your SPL, I want to see this.

| tstats `summariesonly` Authentication.app as app,Authentication.user as user, count from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action,Authentication.src | dedup user | stats sum(app) by user

because I need deduplication of user event and I don't need deduplication of app data.

Re: tstats, no using stats-function-field, using row-field.

aasabatini — Mon, 31 May 2021 07:42:45 GMT

Hi @nasha430

I don't understand your request, with the Tstats function is not possible create a search with a normal SPL, you must use stats function like values or sum, maybe you can use datamodel command but is not accelerated.

Regards

Alessandro

Re: tstats, no using stats-function-field, using row-field.

nasha430 — Tue, 01 Jun 2021 01:07:11 GMT

@aasabatini Hello!
Please, let you know my conditional factor. Exactly not use tstats command. ( I still am solving my situation, I study lookup command. I will finish my situation with hope.)

fields : user(data: STRING), reg_no(data:NUMBER), FILE_HASH(data : HASHCODE)

1. I use 'datamodel acceleration'.
2. I do 'FILE_HASH(field) deduplication'. Event have deduplicated.

3. After deduplication, I use sum(reg_no).

So I try code.
| tstats summariesonly=t reg_no FILE_HASH FROM datamodel="<datamodel>" by user

| dedup FILE_HASH

| stats sum(reg_no) by user.

But tstats don't use fields... so I have to find other way.

I will try lookup command! Maybe let me know other thinking or command.

Re: tstats, no using stats-function-field, using row-field.

nasha430 — Tue, 01 Jun 2021 01:17:02 GMT

@aasabatini Hi!

In my thought If tstats use 'list' command, my issue can be solved.

I see search reference, can't use 'list' function.
Can it be Other way?

Re: tstats, no using stats-function-field, using row-field.

nasha430 — Tue, 01 Jun 2021 02:32:33 GMT

@aasabatini Oh! I find solution!!

Thanks... because you listen my issue, I find my solution. ㅠㅠ.

This is my way.

| tstats summariesonly=t values(<dataset>.reg_no) as reg_no FROM datamodel=<datamodel> BY <dataset>.user <dataset>.FILE_HASH
| dedup <dataset>.user <dataset>.FILE_HASH
| stats sum(reg_no) by <dataset>.user

Thanks aasabatini!! good luck.

Re: tstats, no using stats-function-field, using row-field.

aasabatini — Thu, 03 Jun 2021 07:50:06 GMT

@nasha430 Great!