All Apps and Add-ons
Highlighted

tstats uberagent data 2 options for where clause

Path Finder

How do I use tstats with 2 options for where clause
ie:

| tstats dc(host) as hosts where index=uberagent AppName=StoreFront groupby host
Does not work
works if I remove AppName=...

0 Karma
Highlighted

Re: tstats uberagent data 2 options for where clause

Legend

Only index-time fields can be used with tstats. AppName is unlikely to be an index-time field (and you probably shouldn't make it an index-time field). Also, I don't think you should have the "groupby host" at the end.

View solution in original post

Highlighted

Re: tstats uberagent data 2 options for where clause

Champion

@lguinn is right as usual. @smudge797, the uberAgent app uses data models extensively. There is probably an accelerated datamodel object that contains what you need, i.e., the AppName field. If so, then you can create a tstats or pivot search to give you what you want, but you will have to tailor the syntax to that datamodel object.

0 Karma
Highlighted

Re: tstats uberagent data 2 options for where clause

Path Finder

Thanks all that makes sense now and I do see this in uberagent docs;

Source type:
uberAgent:Application:ApplicationUsage
Field list:
AppName, UserName, AppVersion, RemotingClientName

Any tips on the query to run tstats against the DM?

Thanks!

0 Karma
Highlighted

Re: tstats uberagent data 2 options for where clause

Champion

I think it would be this

| tstats dc(host) as hosts from datamodel="uberAgent.Application_ApplicationUsage" where nodename="Application_ApplicationUsage" Application_ApplicationUsage.AppName="StoreFront" by host

0 Karma
Highlighted

Re: tstats uberagent data 2 options for where clause

Path Finder

Thanks this is what i came up with pivoting off the uberagent DM

|tstats dc(host) AS "Distinct Count of host" from datamodel=uberAgent.ApplicationApplicationUsage where (nodename = ApplicationApplicationUsage) groupby ApplicationApplicationUsage.AppName prestats=true | addinfo type=count label=prereportevents | fields keepcolorder=t "ApplicationApplicationUsage.AppName" "host" "prestatsreserved*" "psrsvd*" | prestats dedupsplitvals=t distinctcount(host) by "Application_ApplicationUsage.AppName"

Thanks all

0 Karma