Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

How can I speed up a search by creating a data model using tstats?

pil321
Communicator
‎02-12-2018 07:53 AM

I want to speed up a search by creating a data model and using tstats.

This is the search using the data model so far:

| tstats count from datamodel=WinEvents.Summary by _time, host, Summary.EventCode, Summary.SourceName, Summary.Type, Summary.Keywords span=1m | stats earliest(_time) as First latest(_time) as Last count by host, Summary.EventCode, Summary.SourceName,  Summary.Type

On the original search, I used eval:

...| eval Type=if(Keywords=="Audit Success", Keywords, Type) | eval Type=if(Keywords=="Audit Failure", Keywords, Type)

Since that is a complex aggregate function (according to the documentation), how do I make that work with tstats?

0 Karma
Reply