Splunk Search

How can I determine which fields will work with tstats?


I understand that tstats will only work with indexed fields, not extracted fields. How can I determine which fields are indexed? For example, in my IIS logs, some entries have a "uid" field, others do not. Tstats does not work with uid, so I assume it is not indexed. But I would like to be able to create a list. Is there some way to determine which fields tstats will work for and which it will not?

Also, is there a way to add a field to the index (like by editing a .conf file?)?

Thanks in advance for your help!

0 Karma

Revered Legend

Splunk Employee
Splunk Employee

great answer by lowell in that first link, and definitely worth reading the indexed extractions docs through.

The search syntax field::value is a great quick check, but playing with walklex is definitely worth the time, and gets my vote, as it is the ultimate source of truth and will be a great trick to add to your Splunk Ninja arsenal!

More on it, and other cool debug tools here:


also, for extra homework ;), check out @martin_mueller and his amazing talk on fields and tokens:



- MattyMo
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...