Solved: Get a Single value for count of hosts for tstats q...

neerajs_81 · ‎08-13-2024

Hi, i have a requirement to create single value visual with trendline. I have looked at sample queries on Dashboard studio examples hub. Below is my base query.

|tstats dc(host) as distinct_count where index=okta
sourcetype="OktaIM2:log"

Expected result: Something like this

I have been trying below 2 searches but neither of two is showing the expected result.

|tstats dc(host) as distinct_host where index=okta sourcetype="OktaIM2:log"
| chart count(distinct_host) by _time
OR
|tstats dc(host) as distinct_host where index=okta sourcetype="OktaIM2:log"
| timechart count(distinct_host) by _time

If i try the below query without tstats, it works but i need to use tstats from a performance point of view.

index=okta sourcetype="OktaIM2:log"
| chart dc(host) by _time span=1h

Any suggestion how to generate single value trendline with tstats?

ITWhisperer · ‎08-14-2024

If you want any sort of stat based on time, you should include it in the by clause. Try starting with something like this

|tstats dc(host) as distinct_host where index=okta sourcetype="OktaIM2:log" by _time

View solution in original post

ITWhisperer · ‎08-14-2024

If you want any sort of stat based on time, you should include it in the by clause. Try starting with something like this

|tstats dc(host) as distinct_host where index=okta sourcetype="OktaIM2:log" by _time

neerajs_81 · ‎08-14-2024

Thanks, didn't realize we could do a by clause with tstats as well.

Get a Single value for count of hosts for tstats query

Dashboard Studio

single value

timechart

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?