Re: How can we use tstats with TERM and PREFIX?

danielbb · ‎12-22-2022

I'm trying to run -

| tstats count where index=wineventlog* TERM(EventID=4688) by _time span=1m

It returns no results but specifying just the term's value seems to work -

| tstats count where index=wineventlog* TERM(4624) by _time span=1m

https://conf.splunk.com/files/2020/slides/PLA1089C.pdf explains the subject well but my simple query is not working.

schose · ‎03-28-2023

Hi @danielbb ,

It's EventCode, not EventID. 😉

| tstats count where index=wineventlog* TERM(EventCode=4688) by _time span=1m

best regards,

Andreas

nordinethales · ‎03-09-2023

Hi danielbb,

You can try

| tstats count where index=wineventlog* TERM(EventID=*) by _time span=1m
But in the _raw event, you must have something which corresponds, like

...EventID=4624...

Then, if you want to use this EventID in the group by, you can try (be carefull The text you provide for the PREFIX() directive must be in lower case)

| tstats count where index=wineventlog* TERM(EventID=*) by PREFIX(eventid=) _time span=1m

Regards

neelwoolies · ‎08-07-2023

This is perfect.

danielbb · ‎12-22-2022

Ok, but TERM(4624) does work.

richgalloway · ‎12-22-2022

Which means that term is stored in a tsidx file (is indexed).

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎12-22-2022

The tstats command only works with indexed fields, which usually does not include EventID.

---
If this reply helps you, Karma would be appreciated.

How can we use tstats with TERM and PREFIX?

tstats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!