https://community.splunk.com/t5/Splunk-Search/Where-can-I-find-detailed-documentation-for-using-tstats-with/m-p/271498#M81738 <P>Thanks. I had previously scoured through these docs trying dig out tstats idiosyncrasies when using datamodels.</P> Thu, 26 May 2016 23:16:30 GMT romedome 2016-05-26T23:16:30Z https://community.splunk.com/t5/Splunk-Search/Where-can-I-find-detailed-documentation-for-using-tstats-with/m-p/271495#M81735 <P>I'm starting to use accelerated data models to power some dashboards, but I'm having some issues. For example, after a few days of searching, I only recently found out that to reference fields, I need to use the . format and I'm still not clear on what the use of the "nodename" attribute is.</P> <P>My query to the Splunk sages: Where are these and other data model specifics documented?</P> Thu, 26 May 2016 20:52:06 GMT https://community.splunk.com/t5/Splunk-Search/Where-can-I-find-detailed-documentation-for-using-tstats-with/m-p/271495#M81735 romedome 2016-05-26T20:52:06Z https://community.splunk.com/t5/Splunk-Search/Where-can-I-find-detailed-documentation-for-using-tstats-with/m-p/271496#M81736 <P>Here's a good answers post with some nice details on using tstats.</P> <P><A href="https://answers.splunk.com/answers/186938/what-is-tstats-and-why-is-so-much-faster-than-stat.html">https://answers.splunk.com/answers/186938/what-is-tstats-and-why-is-so-much-faster-than-stat.html</A></P> <P>The nodename refers to a child in a datamodel and allows you to constrain your search in a where clause. So given the sample datamodel included with Splunk, 'Splunk's Internal Server Logs - SAMPLE', as an example:</P> <P><B>server</B> is the root event. <B>scheduler</B> is a child of server. <B>scheduled_reports</B> is a child of scheduler is a child of server.</P> <P>So you'd use nodename like so:</P> <PRE>| tstats prestats=true count from datamodel=internal_server where nodename=server.scheduler.scheduled_reports | stats count</PRE> Thu, 26 May 2016 22:25:20 GMT https://community.splunk.com/t5/Splunk-Search/Where-can-I-find-detailed-documentation-for-using-tstats-with/m-p/271496#M81736 shaskell_splunk 2016-05-26T22:25:20Z https://community.splunk.com/t5/Splunk-Search/Where-can-I-find-detailed-documentation-for-using-tstats-with/m-p/271497#M81737 <P>A couple of doc links, if you haven't already gone through them:</P> <UL> <LI><A href="http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Tstats">http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Tstats</A></LI> <LI><A href="http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Acceleratedatamodels#Query_data_model_acceleration_summaries">http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Acceleratedatamodels#Query_data_model_acceleration_summaries</A></LI> </UL> Thu, 26 May 2016 22:30:17 GMT https://community.splunk.com/t5/Splunk-Search/Where-can-I-find-detailed-documentation-for-using-tstats-with/m-p/271497#M81737 ChrisG 2016-05-26T22:30:17Z https://community.splunk.com/t5/Splunk-Search/Where-can-I-find-detailed-documentation-for-using-tstats-with/m-p/271498#M81738 <P>Thanks. I had previously scoured through these docs trying dig out tstats idiosyncrasies when using datamodels.</P> Thu, 26 May 2016 23:16:30 GMT https://community.splunk.com/t5/Splunk-Search/Where-can-I-find-detailed-documentation-for-using-tstats-with/m-p/271498#M81738 romedome 2016-05-26T23:16:30Z https://community.splunk.com/t5/Splunk-Search/Where-can-I-find-detailed-documentation-for-using-tstats-with/m-p/271499#M81739 <P>Nice, all the details are buried in that post. I had missed them on the first skim. : )</P> Thu, 26 May 2016 23:21:37 GMT https://community.splunk.com/t5/Splunk-Search/Where-can-I-find-detailed-documentation-for-using-tstats-with/m-p/271499#M81739 romedome 2016-05-26T23:21:37Z https://community.splunk.com/t5/Splunk-Search/Where-can-I-find-detailed-documentation-for-using-tstats-with/m-p/271500#M81740 <P>Took me a little bit of time to figure out how to access my data model fields using tstats so I thought I'd share some examples.</P> <PRE><CODE># had to use mvexpand to generate a list for a drop-down menu, without it I was getting commas in my dashboard drop-downs | tstats values(Host_Metadata_Stats.host_env) as host_env from datamodel=Host_Metadata.Host_Metadata_Stats | mvexpand host_env | table host_env # avg calculation with 1 second bucket / span | tstats count from datamodel=Host_Metadata.Host_Metadata_Stats where Host_Metadata_Stats.index="*" Host_Metadata_Stats.host="**" Host_Metadata_Stats.host_app="*" Host_Metadata_Stats.host_env="*" Host_Metadata_Stats.host_server="*" sourcetype="*" by _time span=1s | stats avg(count) as eps # timechart sum | tstats count from datamodel=Host_Metadata.Host_Metadata_Stats where Host_Metadata_Stats.index="*" Host_Metadata_Stats.host="**" Host_Metadata_Stats.host_app="*" Host_Metadata_Stats.host_env="*" Host_Metadata_Stats.host_server="*" sourcetype="*" by _time index | timechart sum(count) as count by index useother=f # table | tstats count sum(Host_Metadata_Stats.event_length) as bytes from datamodel=Host_Metadata.Host_Metadata_Stats where Host_Metadata_Stats.index="*" Host_Metadata_Stats.host="**" Host_Metadata_Stats.host_app="*" Host_Metadata_Stats.host_env="*" Host_Metadata_Stats.host_server="*" sourcetype="*" by Host_Metadata_Stats.host_env Host_Metadata_Stats.host_app Host_Metadata_Stats.host_server Host_Metadata_Stats.host Host_Metadata_Stats.host_os Host_Metadata_Stats.index sourcetype source | sort host | rename Host_Metadata_Stats.host_env as host_env Host_Metadata_Stats.host_app as host_app Host_Metadata_Stats.host as host Host_Metadata_Stats.host_os as host_os Host_Metadata_Stats.index as index Host_Metadata_Stats.host_server as host_server | eval mb=round(bytes/1024/1024,2) | eval gb=round(bytes/1024/1024/1024,2) | sort -bytes </CODE></PRE> <P>I also found I could get a list of the datamodel field names by using prestats=t in verbose or smart search modes</P> <P>| tstats prestats=t count from datamodel=Host_Metadata.Host_Metadata_Stats <BR /> | table Host_Metadata_Stats* <BR /> | transpose 1<BR /> | table column</P> Tue, 29 Sep 2020 13:28:41 GMT https://community.splunk.com/t5/Splunk-Search/Where-can-I-find-detailed-documentation-for-using-tstats-with/m-p/271500#M81740 bandit 2020-09-29T13:28:41Z https://community.splunk.com/t5/Splunk-Search/Where-can-I-find-detailed-documentation-for-using-tstats-with/m-p/271501#M81741 <P>Consider also the .conf talk I gave last year specifically designed to teach people how to use tstats! <BR /> Slides: <A href="http://conf.splunk.com/files/2016/slides/how-to-scale-from-raw-to-tstats.pdf">http://conf.splunk.com/files/2016/slides/how-to-scale-from-raw-to-tstats.pdf</A><BR /> Video: <A href="http://conf.splunk.com/files/2016/recordings/how-to-scale-from-raw-to-tstats.mp4">http://conf.splunk.com/files/2016/recordings/how-to-scale-from-raw-to-tstats.mp4</A></P> <P>Or go to DC for .conf2017 where I will be re-delivering the same talk (with a few updates)!</P> Mon, 26 Jun 2017 13:10:57 GMT https://community.splunk.com/t5/Splunk-Search/Where-can-I-find-detailed-documentation-for-using-tstats-with/m-p/271501#M81741 David 2017-06-26T13:10:57Z