Solved: tstats timechart

kunalmao · ‎10-12-2017

I am trying to do a time chart of available indexes in my environment , I already tried below query with no luck

| tstats count where index=* by index _time

but i want results in the same format as

index=* | timechart count by index limit=50

gcusello · ‎10-12-2017

Hi kunalmao,
why you want to use tstats if the second solution solves your needs?
If the problem is performance, use | metasearch before index=*
Bye.
Giuseppe

View solution in original post

DEAD_BEEF · ‎09-11-2018

To add to this post for future readers, if you did want to use tstats, then you could using the following syntax:

| tstats count WHERE (index=*) BY index _time span=1d prestats=t 
| timechart span=1d count by index

adjust the span period (on both lines as they must match) to whatever you prefer based on your search (1h, 4h, 5m, etc...)

gcusello · ‎10-12-2017

Hi kunalmao,
why you want to use tstats if the second solution solves your needs?
If the problem is performance, use | metasearch before index=*
Bye.
Giuseppe

guarisma · ‎01-05-2021

I would do it by including _time in the tstats' by statement

| tstats count where index=* by _time index | timechart span=1mon sum(count) by index

tstats timechart

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?