Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I determine which fields will work with tstats?

campbellwarren
Engager
‎01-04-2019 08:17 AM

I understand that tstats will only work with indexed fields, not extracted fields. How can I determine which fields are indexed? For example, in my IIS logs, some entries have a "uid" field, others do not. Tstats does not work with uid, so I assume it is not indexed. But I would like to be able to create a list. Is there some way to determine which fields tstats will work for and which it will not?

Also, is there a way to add a field to the index (like by editing a .conf file?)?

Thanks in advance for your help!

0 Karma
Reply

dkadavis
Explorer
‎11-22-2024 08:26 AM

You could find them by trial and error process.

| tstats values(<field1>) as <field1>
values(<field2>) as <field2>
values(<field3>) as <field3>
WHERE index=<index> sourcetype=<sourcetype> by sourcetype


Fields that have data in the results means it is a useable field.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-22-2024 02:57 PM

Why would you do that if you have perfectly well working answers above? Also, this thread is several years old...

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-24-2024 07:43 PM

Even though this thread is old, it's perhaps worth noting the ability to use TERM and PREFIX with tstats, which I believe was introduced in Splunk 8 at the end of 2019, which would not have been possible when this question was written.

https://conf.splunk.com/files/2020/slides/PLA1089C.pdf

 

Reply

mattymo
Splunk Employee
Splunk Employee
‎01-05-2019 06:34 AM

great answer by lowell in that first link, and definitely worth reading the indexed extractions docs through.

The search syntax field::value is a great quick check, but playing with walklex is definitely worth the time, and gets my vote, as it is the ultimate source of truth and will be a great trick to add to your Splunk Ninja arsenal!

More on it, and other cool debug tools here:

https://docs.splunk.com/Documentation/Splunk/7.2.3/Troubleshooting/CommandlinetoolsforusewithSupport...

also, for extra homework ;), check out @martin_mueller and his amazing talk on fields and tokens:

https://conf.splunk.com/files/2017/recordings/fields-indexed-tokens-and-you.mp4

https://conf.splunk.com/files/2017/slides/fields-indexed-tokens-and-you.pdf

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top