https://community.splunk.com/t5/Splunk-Search/How-can-we-use-tstats-with-TERM-and-PREFIX/m-p/625136#M217307 <P>Ok, but&nbsp;TERM(4624) does work.&nbsp;</P> Thu, 22 Dec 2022 21:06:35 GMT danielbb 2022-12-22T21:06:35Z https://community.splunk.com/t5/Splunk-Search/How-can-we-use-tstats-with-TERM-and-PREFIX/m-p/625126#M217304 <P>I'm trying to run -&nbsp;<BR /><BR /></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">| tstats count where index=wineventlog* TERM(EventID=4688) by _time span=1m</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>It returns no results but specifying just the term's value seems to work -&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">| tstats count where index=wineventlog* TERM(4624) by _time span=1m</LI-CODE> <P>&nbsp;</P> <P><BR /><BR /><BR /><A title="TSTATS and PREFIX" href="https://conf.splunk.com/files/2020/slides/PLA1089C.pdf" target="_self">https://conf.splunk.com/files/2020/slides/PLA1089C.pdf</A>&nbsp;explains the subject well but my simple query is not working.</P> Thu, 22 Dec 2022 20:40:13 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-use-tstats-with-TERM-and-PREFIX/m-p/625126#M217304 danielbb 2022-12-22T20:40:13Z https://community.splunk.com/t5/Splunk-Search/How-can-we-use-tstats-with-TERM-and-PREFIX/m-p/625132#M217306 <P>The <FONT face="courier new,courier">tstats</FONT> command only works with indexed fields, which usually does not include EventID.</P> Thu, 22 Dec 2022 20:27:55 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-use-tstats-with-TERM-and-PREFIX/m-p/625132#M217306 richgalloway 2022-12-22T20:27:55Z https://community.splunk.com/t5/Splunk-Search/How-can-we-use-tstats-with-TERM-and-PREFIX/m-p/625136#M217307 <P>Ok, but&nbsp;TERM(4624) does work.&nbsp;</P> Thu, 22 Dec 2022 21:06:35 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-use-tstats-with-TERM-and-PREFIX/m-p/625136#M217307 danielbb 2022-12-22T21:06:35Z https://community.splunk.com/t5/Splunk-Search/How-can-we-use-tstats-with-TERM-and-PREFIX/m-p/625139#M217308 <P>Which means that term is stored in a tsidx file (is indexed).</P> Thu, 22 Dec 2022 21:31:11 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-use-tstats-with-TERM-and-PREFIX/m-p/625139#M217308 richgalloway 2022-12-22T21:31:11Z https://community.splunk.com/t5/Splunk-Search/How-can-we-use-tstats-with-TERM-and-PREFIX/m-p/633914#M220164 <P>Hi danielbb,</P><P>You can try</P><P>| tstats count where index=wineventlog* TERM(EventID=*) by _time span=1m<BR />But in the _raw event, you must have something which corresponds, like</P><P>...EventID=4624...</P><P><BR />Then, if you want to use this EventID in the group by, you can try (be carefull The text you provide for the PREFIX() directive must be in lower case)</P><P>| tstats count where index=wineventlog* TERM(EventID=*) by PREFIX(eventid=) _time span=1m</P><P>Regards</P> Thu, 09 Mar 2023 15:40:21 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-use-tstats-with-TERM-and-PREFIX/m-p/633914#M220164 nordinethales 2023-03-09T15:40:21Z https://community.splunk.com/t5/Splunk-Search/How-can-we-use-tstats-with-TERM-and-PREFIX/m-p/636368#M221009 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/196884">@danielbb</a>&nbsp;,</P><P>&nbsp;</P><P>It's EventCode, not EventID. <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><LI-CODE lang="markup">| tstats count where index=wineventlog* TERM(EventCode=4688) by _time span=1m</LI-CODE><P>&nbsp;best regards,</P><P>&nbsp;</P><P>Andreas</P> Tue, 28 Mar 2023 17:05:32 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-use-tstats-with-TERM-and-PREFIX/m-p/636368#M221009 schose 2023-03-28T17:05:32Z https://community.splunk.com/t5/Splunk-Search/How-can-we-use-tstats-with-TERM-and-PREFIX/m-p/653454#M225812 <P>This is perfect.&nbsp;</P> Mon, 07 Aug 2023 18:03:45 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-use-tstats-with-TERM-and-PREFIX/m-p/653454#M225812 neelwoolies 2023-08-07T18:03:45Z