Splunk Search

tstats timechart

Communicator

I am trying to do a time chart of available indexes in my environment , I already tried below query with no luck

| tstats count where index=* by index _time

but i want results in the same format as

index=* | timechart count by index limit=50alt text

Tags (3)
0 Karma
1 Solution

Legend

Hi kunalmao,
why you want to use tstats if the second solution solves your needs?
If the problem is performance, use | metasearch before index=*
Bye.
Giuseppe

View solution in original post

Builder

To add to this post for future readers, if you did want to use tstats, then you could using the following syntax:

| tstats count WHERE (index=*) BY index _time span=1d prestats=t 
| timechart span=1d count by index

adjust the span period (on both lines as they must match) to whatever you prefer based on your search (1h, 4h, 5m, etc...)

Legend

Hi kunalmao,
why you want to use tstats if the second solution solves your needs?
If the problem is performance, use | metasearch before index=*
Bye.
Giuseppe

View solution in original post