Re: Field Does Not Exist in Tstats

whitefang1726 · ‎04-05-2022

Hello,

I looking for options to add a non-existing field in tstats command. The scenario is the field doesn't exist. Normally I create regex for searches, however, it doesn't work similar with tstats.

Example Query:

index=something sourcetype=something:something
| rex field=source".....(?<new_field>[0-9A-Z]+)"

This command will create new_field field based on source field.

For tstats, the idea should be..

| tstats count max(_time) as _time where ....

Is this possible? Sorry for the lack of details.

VatsalJagani · ‎04-05-2022

@whitefang1726 - It depends. If all the fields you need are indexed fields then yes you can do it.

For example, you just need to count by new_field extracted from source then you can use something like below query:

| tstats count where index=something sourcetype=something:something by source
| rex field=source ".....(?<new_field>[0-9A-Z]+)"
| stats sum(count) as count by new_field

I hope this helps!!

venkatasri · ‎04-05-2022

tstats only for indexed fields. rex is a search-time.

Refer - https://docs.splunk.com/Documentation/Splunk/8.2.5/Data/Configureindex-timefieldextraction

after successful creation you can use the field in tstats.

--

Hope it helps!

How to add a non existing field in tstats command?

tstats

See just what you’ve been missing | Observability tracks at Splunk University

Weezer at .conf25? Say it ain’t so!

How SC4S Makes Suricata Logs Ingestion Simple

Are you a member of the Splunk Community?

How to add a non existing field in tstats command?

tstats

See just what you’ve been missing | Observability tracks at Splunk University

Weezer at .conf25? Say it ain’t so!

How SC4S Makes Suricata Logs Ingestion Simple