https://community.splunk.com/t5/Splunk-Search/Why-does-tstats-command-alter-time-stamps-when-I-run-it-by-time/m-p/635514#M220792 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P><P>&nbsp;</P><P>Thank you for your response. But in my case there are no groups, because i used also another field (id) in by section, which is unique. So I expected to see all events with their original timestamps.</P> Wed, 22 Mar 2023 15:52:58 GMT LIS 2023-03-22T15:52:58Z https://community.splunk.com/t5/Splunk-Search/Why-does-tstats-command-alter-time-stamps-when-I-run-it-by-time/m-p/635498#M220786 <P>I am wondering why tstats command alters time stamps when I run it by _time.<BR /><BR /></P> <P>| tstats values(text_len) as text_len&nbsp; values(ts) as ts where index = data sourcetype = cdr by _time thread_id num_attempts</P> <P>raw data in index=data :&nbsp;&nbsp;</P> <TABLE> <TBODY> <TR> <TD>Time</TD> <TD>&nbsp;</TD> <TD><A class="" href="https://bicssplunk.bc:8000/en-GB/app/dashboard_messaging/search?q=search%20index%20%3D%20data_sms%20sourcetype%20%3D%20openmind%3Asms%3Acdr&amp;display.page.search.mode=smart&amp;dispatch.sample_ratio=1&amp;workload_pool=&amp;earliest=1679487252&amp;latest=1679487258&amp;display.events.timelineEarliestTime=1679487255.9&amp;display.events.timelineLatestTime=1679487256.2&amp;sid=1679491269.24533_DEB8EF48-6AAD-4570-8ED3-D2E0419DC73E#" target="_blank" rel="noopener"><SPAN>_time</SPAN></A></TD> <TD>2023-03-22T13:14:16.000+01:00</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LIS_0-1679491403739.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/24435i37247F2DB981C3E3/image-size/medium?v=v2&amp;px=400" role="button" title="LIS_0-1679491403739.png" alt="LIS_0-1679491403739.png" /></span></P> <P>After tstats:</P> <P><SPAN>2023-03-22 13:10:00</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LIS_1-1679491530559.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/24436iC59AE1185160ED96/image-size/medium?v=v2&amp;px=400" role="button" title="LIS_1-1679491530559.png" alt="LIS_1-1679491530559.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 23 Mar 2023 14:43:05 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-tstats-command-alter-time-stamps-when-I-run-it-by-time/m-p/635498#M220786 LIS 2023-03-23T14:43:05Z https://community.splunk.com/t5/Splunk-Search/Why-does-tstats-command-alter-time-stamps-when-I-run-it-by-time/m-p/635513#M220791 <P>To group events by _time, <FONT face="courier new,courier">tstats</FONT> rounds the _time value down to create groups based on the specified span.&nbsp; If no span is specified, <FONT face="courier new,courier">tstats</FONT> will pick one that fits best in the time window search - 10 minutes in this case.</P> Wed, 22 Mar 2023 15:35:56 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-tstats-command-alter-time-stamps-when-I-run-it-by-time/m-p/635513#M220791 richgalloway 2023-03-22T15:35:56Z https://community.splunk.com/t5/Splunk-Search/Why-does-tstats-command-alter-time-stamps-when-I-run-it-by-time/m-p/635514#M220792 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;</P><P>&nbsp;</P><P>Thank you for your response. But in my case there are no groups, because i used also another field (id) in by section, which is unique. So I expected to see all events with their original timestamps.</P> Wed, 22 Mar 2023 15:52:58 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-tstats-command-alter-time-stamps-when-I-run-it-by-time/m-p/635514#M220792 LIS 2023-03-22T15:52:58Z https://community.splunk.com/t5/Splunk-Search/Why-does-tstats-command-alter-time-stamps-when-I-run-it-by-time/m-p/635545#M220802 <P><FONT face="courier new,courier">tstats</FONT> still would have modified the timestamps in anticipation of creating groups.&nbsp; It wouldn't know that would fail until it was too late.</P><P>If this was a <FONT face="courier new,courier">stats</FONT> command then you could copy _time to another field for grouping, but I don't know of a way to do that with <FONT face="courier new,courier">tstats</FONT>.</P> Wed, 22 Mar 2023 18:51:22 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-tstats-command-alter-time-stamps-when-I-run-it-by-time/m-p/635545#M220802 richgalloway 2023-03-22T18:51:22Z https://community.splunk.com/t5/Splunk-Search/Why-does-tstats-command-alter-time-stamps-when-I-run-it-by-time/m-p/635590#M220813 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/240613">@LIS</a>&nbsp;<BR /><BR /><A href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957" target="_blank" rel="noopener">@richgalloway</A><SPAN>&nbsp; is correct, it's due to grouping by the _time field.<BR /><BR /></SPAN>If you do want to pull the original _time out of the event then do not group by _time but pull it out as a field value, e.g.</P><PRE><SPAN>| tstats max(_time) AS _time values(text_len) as text_len&nbsp; values(ts) as ts where index = data sourcetype = cdr by thread_id num_attempts</SPAN>&nbsp;</PRE><P>&nbsp;This assumes that each event has a unique&nbsp;<SPAN>thread_id and num_attempts, but hopefully this demonstrates the difference in what you expected.</SPAN></P> Thu, 23 Mar 2023 02:53:08 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-tstats-command-alter-time-stamps-when-I-run-it-by-time/m-p/635590#M220813 yeahnah 2023-03-23T02:53:08Z https://community.splunk.com/t5/Splunk-Search/Why-does-tstats-command-alter-time-stamps-when-I-run-it-by-time/m-p/635591#M220814 <P>tstats by _time supports the span= argument, so you can do span=1s to get the a 1 second bucket of _time</P><P>&nbsp;</P> Thu, 23 Mar 2023 03:10:21 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-tstats-command-alter-time-stamps-when-I-run-it-by-time/m-p/635591#M220814 bowesmana 2023-03-23T03:10:21Z https://community.splunk.com/t5/Splunk-Search/Why-does-tstats-command-alter-time-stamps-when-I-run-it-by-time/m-p/700373#M237670 <P>I ran into the same thing, but I noticed that when I run my queries against a data model that is not accellerated, I get the right results.</P><P>Is there a reason why running against a datamodel that is accelerated and the same data model that is not accelerated yield different results?</P> Fri, 27 Sep 2024 18:40:47 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-tstats-command-alter-time-stamps-when-I-run-it-by-time/m-p/700373#M237670 qs_chuy 2024-09-27T18:40:47Z https://community.splunk.com/t5/Splunk-Search/Why-does-tstats-command-alter-time-stamps-when-I-run-it-by-time/m-p/700375#M237671 <P>This thread is more than a year old so you are more likely to get responses by submitting a new question.</P> Fri, 27 Sep 2024 19:33:22 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-tstats-command-alter-time-stamps-when-I-run-it-by-time/m-p/700375#M237671 richgalloway 2024-09-27T19:33:22Z https://community.splunk.com/t5/Splunk-Search/Why-does-tstats-command-alter-time-stamps-when-I-run-it-by-time/m-p/709009#M239661 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;found out <EM>| tstats ... by source</EM> provides less results than<EM> | tstats ... values(source)</EM>&nbsp; in a search combining a query joined with tstats <span class="lia-unicode-emoji" title=":upside_down_face:">🙃</span><BR /><BR /></P> <LI-CODE lang="markup">| tstats min(_time) as firstTime max(_time) as lastTime values(source) as source WHERE index=* by host,index provides ALL sources | tstats min(_time) as firstTime max(_time) as lastTime WHERE index=* by host,index,source provides only 1 source</LI-CODE> Thu, 16 Jan 2025 17:40:24 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-tstats-command-alter-time-stamps-when-I-run-it-by-time/m-p/709009#M239661 splunkreal 2025-01-16T17:40:24Z