topic Re: How can I determine which fields will work with tstats? in Splunk Search

How can I determine which fields will work with tstats?

campbellwarren — Fri, 04 Jan 2019 16:17:44 GMT

I understand that tstats will only work with indexed fields, not extracted fields. How can I determine which fields are indexed? For example, in my IIS logs, some entries have a "uid" field, others do not. Tstats does not work with uid, so I assume it is not indexed. But I would like to be able to create a list. Is there some way to determine which fields tstats will work for and which it will not?

Also, is there a way to add a field to the index (like by editing a .conf file?)?

Thanks in advance for your help!

Re: How can I determine which fields will work with tstats?

somesoni2 — Fri, 04 Jan 2019 16:38:09 GMT

For your first question, see this
https://answers.splunk.com/answers/339034/is-there-a-way-to-know-which-fields-were-extracted.html

To create indexed field, see this
https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Configureindex-timefieldextraction

Re: How can I determine which fields will work with tstats?

mattymo — Sat, 05 Jan 2019 14:34:01 GMT

great answer by lowell in that first link, and definitely worth reading the indexed extractions docs through.

The search syntax field::value is a great quick check, but playing with walklex is definitely worth the time, and gets my vote, as it is the ultimate source of truth and will be a great trick to add to your Splunk Ninja arsenal!

More on it, and other cool debug tools here:

https://docs.splunk.com/Documentation/Splunk/7.2.3/Troubleshooting/CommandlinetoolsforusewithSupport#walklex

also, for extra homework ;), check out @martin_mueller and his amazing talk on fields and tokens:

https://conf.splunk.com/files/2017/recordings/fields-indexed-tokens-and-you.mp4

https://conf.splunk.com/files/2017/slides/fields-indexed-tokens-and-you.pdf

Re: How can I determine which fields will work with tstats?

dkadavis — Fri, 22 Nov 2024 21:21:15 GMT

You could find them by trial and error process.

| tstats values(<field1>) as <field1> values(<field2>) as <field2> values(<field3>) as <field3> WHERE index=<index> sourcetype=<sourcetype> by sourcetype

Fields that have data in the results means it is a useable field.

Re: How can I determine which fields will work with tstats?

PickleRick — Fri, 22 Nov 2024 22:57:16 GMT

Why would you do that if you have perfectly well working answers above? Also, this thread is several years old...

Re: How can I determine which fields will work with tstats?

bowesmana — Mon, 25 Nov 2024 03:43:58 GMT

Even though this thread is old, it's perhaps worth noting the ability to use TERM and PREFIX with tstats, which I believe was introduced in Splunk 8 at the end of 2019, which would not have been possible when this question was written.

https://conf.splunk.com/files/2020/slides/PLA1089C.pdf