Solved: Get a Single value for count of hosts for tstats q...

neerajs_81 · ‎08-13-2024

Hi, i have a requirement to create single value visual with trendline. I have looked at sample queries on Dashboard studio examples hub. Below is my base query.

|tstats dc(host) as distinct_count where index=okta
sourcetype="OktaIM2:log"

Expected result: Something like this

I have been trying below 2 searches but neither of two is showing the expected result.

|tstats dc(host) as distinct_host where index=okta sourcetype="OktaIM2:log"
| chart count(distinct_host) by _time
OR
|tstats dc(host) as distinct_host where index=okta sourcetype="OktaIM2:log"
| timechart count(distinct_host) by _time

If i try the below query without tstats, it works but i need to use tstats from a performance point of view.

index=okta sourcetype="OktaIM2:log"
| chart dc(host) by _time span=1h

Any suggestion how to generate single value trendline with tstats?

ITWhisperer · ‎08-14-2024

If you want any sort of stat based on time, you should include it in the by clause. Try starting with something like this

|tstats dc(host) as distinct_host where index=okta sourcetype="OktaIM2:log" by _time

View solution in original post

ITWhisperer · ‎08-14-2024

If you want any sort of stat based on time, you should include it in the by clause. Try starting with something like this

|tstats dc(host) as distinct_host where index=okta sourcetype="OktaIM2:log" by _time

neerajs_81 · ‎08-14-2024

Thanks, didn't realize we could do a by clause with tstats as well.

Get a Single value for count of hosts for tstats query

Dashboard Studio

single value

timechart

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation