Splunk Search

How to get tstats results non-case sensitive?

Builder

Hello,

how to get tstats results non-case sensitive?

| tstats latest(_time) as latest,earliest(_time) as earliest WHERE index = * by host source

will output me (example) :

oraserver /var/log/messages 15200000
ORASERVER /var/log/messages 16000000

as hosts changed from Splunk forwarder agent (OS update)

Unfortunately stats command is too slow so we can't use it.

Thanks.

1 Solution

Influencer

Well tstats really needs to be the first command in the search so, what I would suggest to you is:

After the tstats command, use an eval host=lower(host), eval source=lower(source), and then redo the same calculation (which is now very light because you;ll have very few results, like this:

| tstats latest(_time) as latest,earliest(_time) as earliest WHERE index = * by host source
| eval host=lower(host), source=lower(source)
| stats latest(_time) as latest,earliest(_time) by host source

View solution in original post

Influencer

Well tstats really needs to be the first command in the search so, what I would suggest to you is:

After the tstats command, use an eval host=lower(host), eval source=lower(source), and then redo the same calculation (which is now very light because you;ll have very few results, like this:

| tstats latest(_time) as latest,earliest(_time) as earliest WHERE index = * by host source
| eval host=lower(host), source=lower(source)
| stats latest(_time) as latest,earliest(_time) by host source

View solution in original post

Builder

Almost there! I changed stats latest(_time) by stats max(latest),stats min(earliest) and it works 🙂 Thanks a lot.

tstats should be flexible though.

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!