Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

tstats not working on all index time fields?

moneybox
Explorer
‎06-14-2018 08:00 AM

I have a python script (requests and post) that sends json events to an Indexer using HTTP Event Collector (HEC).
I can perform searches like

| tstats count where host=XXX by sourcetype
yet I cannot perform tstats searches on fields inside the event, even though they are json fields that are extracted in index time.

How can I make sure a search like

| tstats count where host=XXX by json_field_1
will work ?

Thank you

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎06-14-2018 10:07 AM

Unless you have the JSON field you want INDEXED, you will not be able to use it in a tstats command. tstats can only work of things that are in the tsidx file (like source, sourcetype, index, host, _time, etc.) and those fields which are indexed (so that means the field extractions would have to be done through the props.conf files on the indexers). If that is not the case in this instance, then you cannot use something like json_field_1 in that search.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎06-14-2018 10:07 AM

Unless you have the JSON field you want INDEXED, you will not be able to use it in a tstats command. tstats can only work of things that are in the tsidx file (like source, sourcetype, index, host, _time, etc.) and those fields which are indexed (so that means the field extractions would have to be done through the props.conf files on the indexers). If that is not the case in this instance, then you cannot use something like json_field_1 in that search.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...