https://community.splunk.com/t5/Splunk-Search/Convert-normal-search-to-tstats/m-p/620858#M215812 <P>Dears,</P> <P>&nbsp;</P> <P>We need your support to convert below search to tstats search.</P> <LI-CODE lang="markup">(index=os_windows OR index=workstation*) tag=authentication user!=*$ action=success EventCode=4624 Logon_Type=10 OR Logon_Type=2 user=admin OR user=administrator OR user=Paradmin OR user=symadmin | table _time index user Source_Network_Address Workstation_Name action Logon_Type | dedup user Workstation_Name</LI-CODE> <P>&nbsp;</P> <P>Please your support.</P> <P>&nbsp;</P> <P>Best Regards,</P> <P>&nbsp;</P> Tue, 15 Nov 2022 13:54:14 GMT Abdullah 2022-11-15T13:54:14Z https://community.splunk.com/t5/Splunk-Search/Convert-normal-search-to-tstats/m-p/620858#M215812 <P>Dears,</P> <P>&nbsp;</P> <P>We need your support to convert below search to tstats search.</P> <LI-CODE lang="markup">(index=os_windows OR index=workstation*) tag=authentication user!=*$ action=success EventCode=4624 Logon_Type=10 OR Logon_Type=2 user=admin OR user=administrator OR user=Paradmin OR user=symadmin | table _time index user Source_Network_Address Workstation_Name action Logon_Type | dedup user Workstation_Name</LI-CODE> <P>&nbsp;</P> <P>Please your support.</P> <P>&nbsp;</P> <P>Best Regards,</P> <P>&nbsp;</P> Tue, 15 Nov 2022 13:54:14 GMT https://community.splunk.com/t5/Splunk-Search/Convert-normal-search-to-tstats/m-p/620858#M215812 Abdullah 2022-11-15T13:54:14Z https://community.splunk.com/t5/Splunk-Search/Convert-normal-search-to-tstats/m-p/620904#M215832 <P>What have you tried so far?</P><P>The current query has no <FONT face="courier new,courier">stats</FONT> command so there is no equivalent <FONT face="courier new,courier">tstats</FONT> query.&nbsp; Furthermore, the query appears to use fields that typically are not indexed (like EventCode), which makes <FONT face="courier new,courier">tstats</FONT> queries impossible.</P> Tue, 15 Nov 2022 14:00:13 GMT https://community.splunk.com/t5/Splunk-Search/Convert-normal-search-to-tstats/m-p/620904#M215832 richgalloway 2022-11-15T14:00:13Z https://community.splunk.com/t5/Splunk-Search/Convert-normal-search-to-tstats/m-p/621038#M215875 <P>Hi R<SPAN>ichgalloway,</SPAN></P><P>Thank you for your reply, but I think you can create new regular expression and create new field for the data model by editing the data model, then we can use this field.</P><P>Regads,</P> Wed, 16 Nov 2022 11:34:32 GMT https://community.splunk.com/t5/Splunk-Search/Convert-normal-search-to-tstats/m-p/621038#M215875 Abdullah 2022-11-16T11:34:32Z https://community.splunk.com/t5/Splunk-Search/Convert-normal-search-to-tstats/m-p/621069#M215895 <P>Yes, you can modify the data model to include other fields, but I advise against it.&nbsp; Once you modify a data model you own it.&nbsp; Any changes published by Splunk will not be available because your local change will override that delivered with the app.&nbsp; It's better to aliases and/or tags to have the desired field appear in the existing model.</P><P>Having the field in an index is only part of the problem.&nbsp; The non-tstats query does not compute any stats so there is no equivalent in <FONT face="courier new,courier">tstats</FONT>.</P> Wed, 16 Nov 2022 14:35:15 GMT https://community.splunk.com/t5/Splunk-Search/Convert-normal-search-to-tstats/m-p/621069#M215895 richgalloway 2022-11-16T14:35:15Z