Splunk Search

How to get tstats results non-case sensitive?

realsplunk
Builder

Hello,

how to get tstats results non-case sensitive?

| tstats latest(_time) as latest,earliest(_time) as earliest WHERE index = * by host source

will output me (example) :

oraserver /var/log/messages 15200000
ORASERVER /var/log/messages 16000000

as hosts changed from Splunk forwarder agent (OS update)

Unfortunately stats command is too slow so we can't use it.

Thanks.

1 Solution

tiagofbmm
Influencer

Well tstats really needs to be the first command in the search so, what I would suggest to you is:

After the tstats command, use an eval host=lower(host), eval source=lower(source), and then redo the same calculation (which is now very light because you;ll have very few results, like this:

| tstats latest(_time) as latest,earliest(_time) as earliest WHERE index = * by host source
| eval host=lower(host), source=lower(source)
| stats latest(_time) as latest,earliest(_time) by host source

View solution in original post

tiagofbmm
Influencer

Well tstats really needs to be the first command in the search so, what I would suggest to you is:

After the tstats command, use an eval host=lower(host), eval source=lower(source), and then redo the same calculation (which is now very light because you;ll have very few results, like this:

| tstats latest(_time) as latest,earliest(_time) as earliest WHERE index = * by host source
| eval host=lower(host), source=lower(source)
| stats latest(_time) as latest,earliest(_time) by host source

View solution in original post

realsplunk
Builder

Almost there! I changed stats latest(_time) by stats max(latest),stats min(earliest) and it works 🙂 Thanks a lot.

tstats should be flexible though.