How to use tstats to make a search faster (getting...

splunkyboy2 · ‎09-24-2020

i am attempting to use tstats to make this search faster

index="wss_events" sourcetype=symantec:websecurityservice:scwss-poll
[| inputlookup "WSSIOC4.csv"
| rename match as query
| fields query ]

i get an an error that i dont understand . Can anyone tell me what i need to correct to use tstats , or am i trying to do something impossible ?

thambisetty · ‎09-24-2020

you can not use tstats for indexed data. your indexes should be part of datamodel and datamodel should have been accelerated. read about tstats command below:

https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Tstats

————————————
If this helps, give a like below.

richgalloway · ‎09-24-2020

The tstats command can be used with indexed fields.

---
If this reply helps you, Karma would be appreciated.

splunkyboy2 · ‎09-24-2020

i have made the index a data model , but still getting errors that i cant work out

richgalloway · ‎09-24-2020

When using subsearches, it's a good idea to run the subsearch by itself with | format appended as in

| inputlookup mylookup.csv | rename foo as bar | fields bar | format

The result will show exactly what is added to the main search. If the resulting text is not valid as part of a search then the subsearch must be modified.

---
If this reply helps you, Karma would be appreciated.

How to use tstats to make a search faster (getting errors)?

using Splunk Enterprise

Splunk APM & RUM | Upcoming Planned Maintenance

Part 2: Diving Deeper With AIOps

User Groups | Upcoming Events!