https://community.splunk.com/t5/Splunk-Search/How-can-I-use-tstats-to-search-event-count-comparing-with-last/m-p/295359#M165639 <P>The </P> <BLOCKQUOTE> <P>[search [|tstats</P> </BLOCKQUOTE> <P>is seeing </P> <BLOCKQUOTE> <P>|tstats</P> </BLOCKQUOTE> <P>as a subsearch of an empty subsearch. Remove the </P> <BLOCKQUOTE> <P>[search...]</P> </BLOCKQUOTE> <P>and it should work:</P> <P>| tstats count where index=wineventlog sourcetype="xmlwineventlog:security" earliest=-15m@m-1w latest=@m-1w by host | rename count as LastWeek<BR /> | appendcols [|tstats count where index=wineventlog sourcetype="xmlwineventlog:security" earliest=-15m@m latest=@m by host | rename count as Today]<BR /> | table host LastWeek Today</P> Thu, 12 Oct 2017 15:35:44 GMT myriadic 2017-10-12T15:35:44Z https://community.splunk.com/t5/Splunk-Search/How-can-I-use-tstats-to-search-event-count-comparing-with-last/m-p/295358#M165638 <P>I have a search that works with stats - but fail to work when using tstats..</P> <P>Here is the search with stats:</P> <PRE><CODE>index=wineventlog sourcetype="xmlwineventlog:security" earliest=-15m@m-1w latest=@m-1w | stats count by host | rename count as LastWeek | appendcols [search index=wineventlog sourcetype="xmlwineventlog:security" earliest=-15m@m latest=@m | stats count by host | rename count as Today] | table host Today LastWeek </CODE></PRE> <P>Since this search take some time - I thought that I should use tstats instead - but some how I can't make it work. The individual<BR /> searches works - but not combined as subsearch as in this example:</P> <PRE><CODE>| tstats count where index=wineventlog sourcetype="xmlwineventlog:security" earliest=-15m@m-1w latest=@m-1w by host | rename count as LastWeek | appendcols [search [|tstats count where index=wineventlog sourcetype="xmlwineventlog:security" earliest=-15m@m latest=@m by host | rename count as Today]] | table host LastWeek Today </CODE></PRE> <P>In this search it only returns values for "LastWeek" - nothing for "Today", but the individual searches with tstast works without problems.</P> <P>Anyone with a clue?</P> Thu, 12 Oct 2017 13:50:44 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-use-tstats-to-search-event-count-comparing-with-last/m-p/295358#M165638 splunk_pn 2017-10-12T13:50:44Z https://community.splunk.com/t5/Splunk-Search/How-can-I-use-tstats-to-search-event-count-comparing-with-last/m-p/295359#M165639 <P>The </P> <BLOCKQUOTE> <P>[search [|tstats</P> </BLOCKQUOTE> <P>is seeing </P> <BLOCKQUOTE> <P>|tstats</P> </BLOCKQUOTE> <P>as a subsearch of an empty subsearch. Remove the </P> <BLOCKQUOTE> <P>[search...]</P> </BLOCKQUOTE> <P>and it should work:</P> <P>| tstats count where index=wineventlog sourcetype="xmlwineventlog:security" earliest=-15m@m-1w latest=@m-1w by host | rename count as LastWeek<BR /> | appendcols [|tstats count where index=wineventlog sourcetype="xmlwineventlog:security" earliest=-15m@m latest=@m by host | rename count as Today]<BR /> | table host LastWeek Today</P> Thu, 12 Oct 2017 15:35:44 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-use-tstats-to-search-event-count-comparing-with-last/m-p/295359#M165639 myriadic 2017-10-12T15:35:44Z https://community.splunk.com/t5/Splunk-Search/How-can-I-use-tstats-to-search-event-count-comparing-with-last/m-p/295360#M165640 <P>Ok, thank you!<BR /> I knew it was something simple - sometimes you need someone else eyes - to see the obvious...</P> <P>Thanka, again.</P> Fri, 13 Oct 2017 06:51:43 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-use-tstats-to-search-event-count-comparing-with-last/m-p/295360#M165640 splunk_pn 2017-10-13T06:51:43Z