I am trying to run the following tstats search:
| tstats summariesonly=true estdc(Malware_Attacks.dest) as "infected_hosts" where "Malware_Attacks.action=allowed" from datamodel="Malware"."M...
I hope I explain this well. I have the following tstats search:
| tstats max(_time) AS _time WHERE index=_internal sourcetype=splunkd source=*metrics.log by host
I also have a lookup t...
...hat lookup file to exclude the files, the search results will exclude the whole host and affected files, not just the singular file I want excluded. My tstats search: | tstats values(S...
Hey I've been working on a distributed Splunk environment, where in one of our indexes we have a very high cardinality "source" field (basically different for each event). I've noticed that using tstats...
...ike this:
| tstats count as count where index="myindex" id="some id value" by _time CAUSE_VALUE span=5m
| timechart sum(count) as total_count span=5min
The q...
...oints to this field, set as IPv4, is the "IP" field utilized within the GEO IP settings) What works: 1. Datamodel "test": Acceleration is on, status 100% complete, and tstats c...
Hi, I have a host.csv, with 20K+ hosts in it. I am expecting values(index) by host. But tstats gives error for the below command. | tstats values(index) where index=* [| inputlookup e...
Dear Experts,
Request you help to convert this below query into tstats query.
index=network_proxy category="Personal Network Storage and Backup" | eval Megabytes=(((bytes_out/1024)/1024))| s...
tstats shows an error if I include a JSON field in "where" clause. Same happens to CSV fields. For example, if my source is like {"host": "<hostname>", "IP": "<IP address&g...