tstats by index by month Error in 'TsidxStats': WH...

daymar23 · ‎05-11-2021

Hello Community!

I am trying to get the record count by index that I am getting per month in Splunk. I am using this search with tstats, because there are millions of records per month and from I read this is more efficient than the stats command.

| tstats count WHERE (index=*) BY index _time span=1mon
| timechart span=1mon count

But I don't know why I am receiving this error:

Error in 'TsidxStats': WHERE clause is not an exact query

Can anyone help me to know what I am doing wrong?

Thanks

richgalloway · ‎05-11-2021

That query works fine on 8.1. What version are you using? Have you tried without the parentheses?

---
If this reply helps you, Karma would be appreciated.

daymar23 · ‎05-12-2021

I have Version:7.2.1 😞

Yes I have already tried without parentheses.

Do you know how I can do it in this version?

richgalloway · ‎05-12-2021

Sorry, I don't know. Perhaps upgrading to 7.3.x will help (7.2 is not supported now).

---
If this reply helps you, Karma would be appreciated.

allenclarke · ‎06-10-2021

I get the same issue. Can't get any searches with tstats to run, they all error in the same way.

Running Splunk 8.2

tstats by index by month Error in 'TsidxStats': WHERE clause is not an exact query

tstats

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?