Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Search
Splunk Community
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Search
Search
Search the Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
2,923 results
Sort by:
05-06-2025
08:08 PM
I am running tstats command with span of 2hrs for index and source. It returns the data for every 2hrs. But I want to include the results only if it's available for every 2hrs in last 24hrs search....
01-26-2024
10:33 AM
My current search is - | tstats count AS event_count WHERE index=* BY host, _time span=1h | append [ | inputlookup Domain_Computers | fields cn, operatingSystem, o...
12-08-2023
05:36 AM
Hello Team, Everyone has probably seen this error. Error in 'TsidxStats': _time aggregations are not yet supported except for count/min/max/range/earliest/latest I try to understand stats co...
Labels
- Labels:
-
distributed search
06-08-2023
12:39 AM
Hi,
So i have this search:
| tstats prestats=true count WHERE index=*_ot (source="*sgre*" OR o_wp="*sgre*") AND (source="*how02*" OR o_wp="*how02*") BY _...
Labels
- Labels:
-
tstats
Show results in replies (5)
-
index=*_ot (source="*sgre*" OR o_wp="*sgre*") AND (source="*how02*" OR o_wp="*how02*") | stats coun...
-
Hi @Imhim, you can use tstats only on indexed fields, in your case o_wp shouldn't be an i...
-
Hi @gcusello, Thank you. If it needs to be an indexed field, then what would be ...
-
Hi @Imhim, you have three choices: don't use tstats: if you have few events it's the e...
-
Thank you. I appreciate it
10-12-2017
03:34 AM
I am trying to do a time chart of available indexes in my environment , I already tried below query with no luck
| tstats count where index=* by index _time
but i want results in the same f...
without-tstats.png (88 KB)
with-tstats.png (91 KB)
03-22-2023
06:29 AM
I am wondering why tstats command alters time stamps when I run it by _time.
| tstats values(text_len) as text_len values(ts) as ts where index = data sourcetype = cdr by _time t...
- Tags:
- tstats
Labels
- Labels:
-
tstats
Show results in replies (7)
-
To group events by _time, tstats rounds the _time value down to create groups based on the s...
-
I ran into the same thing, but I noticed that when I run my queries against a data model that is no...
-
This thread is more than a year old so you are more likely to get responses by submitting a new que...
-
tstats still would have modified the timestamps in anticipation of creating groups. It w...
-
Hi @richgalloway Thank you for your response. But in my case there are no group...
-
...ut as a field value, e.g. | tstats max(_time) AS _time values(text_len) as text_len values(t...
-
tstats by _time supports the span= argument, so you can do span=1s to get the a 1 second bucket o...
05-16-2024
05:40 AM
We've run into a few occassions where one of our network devices stops sending logs to Splunk. I have a tstats search based on the blog post here: https://www.splunk.com/en_us/blog/tips-and-t...
Labels
- Labels:
-
alert condition
10-29-2024
12:11 PM
We are ingesting large volume of network data and would like to use tstats to make the searches faster. The query index=myindex is returning results as expected, but when I run a b...
02-24-2020
05:15 AM
I am trying to run the following tstats search:
| tstats summariesonly=true estdc(Malware_Attacks.dest) as "infected_hosts" where "Malware_Attacks.action=allowed" from datamodel="Malware"."M...
