Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why can't tstats search sourcetype field specifically?

hketer
Path Finder
‎03-06-2022 08:40 AM

Hi All,

I'm running the query 

| tstats count where index=<index name> by sourcetype

No results  
OR 

| tstats values(sourcetype) where index=<index name> by index

and the results for values(sourcetype) is null\empty.

I have up to date data with  no delays in indextime .

I've checked the fields.conf on indexers and I do see the field [sourcetype]

**Also there are sourcetypes that does work and I see the field 

Any ideas how to check this? or what can be the issue?

 

Thanks,
Hen

Labels (1)
Labels
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎03-13-2022 09:16 PM

I tried:

| tstats values(sourcetype) where index=_internal by index

That works and | tstats count where index=_internal by sourcetype

Also works on 8.2.0

 

Did you have the time range set correctly to find data?

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...