I understand that tstats will only work with indexed fields, not extracted fields. How can I determine which fields are indexed? For example, in my IIS logs, some entries have a "uid" field, others do not. Tstats does not work with uid, so I assume it is not indexed. But I would like to be able to create a list. Is there some way to determine which fields tstats will work for and which it will not?
Also, is there a way to add a field to the index (like by editing a .conf file?)?
great answer by lowell in that first link, and definitely worth reading the indexed extractions docs through.
The search syntax field::value is a great quick check, but playing with walklex is definitely worth the time, and gets my vote, as it is the ultimate source of truth and will be a great trick to add to your Splunk Ninja arsenal!