Splunk Enterprise Security

tstats isn't displaying search

rtalcik
Path Finder

| tstats count where index=proxy AND sourcetype=dns earliest=-7d by _time, ComputerName span=1h
| xyseries _time, ComputerName, count

So this is an actual field with an actual value and it isnt loading into the search, any reason why?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

All fields used by tstats must be indexed. Are you sure ComputerName is extracted at index-time and not at search-time?

---
If this reply helps you, Karma would be appreciated.
0 Karma

rtalcik
Path Finder

Its a custom made field. So probably at search time.... is there a way around this

0 Karma

rtalcik
Path Finder

or a way to find out

0 Karma

richgalloway
SplunkTrust
SplunkTrust

| walklex type=field index=* | stats values(field) by index will list all of your indexed fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...