Hello Team, Everyone has probably seen this error. Error in 'TsidxStats': _time aggregations are not yet supported except for count/min/max/range/earliest/latest I try to understand stats co...
My current search is - | tstats count AS event_count WHERE index=* BY host, _time span=1h | append [ | inputlookup Domain_Computers | fields cn, operatingSystem, o...
Hi,
So i have this search:
| tstats prestats=true count WHERE index=*_ot (source="*sgre*" OR o_wp="*sgre*") AND (source="*how02*" OR o_wp="*how02*") BY _...
I am trying to do a time chart of available indexes in my environment , I already tried below query with no luck
| tstats count where index=* by index _time
but i want results in the same f...
Got a search like this (I've obfuscated it a bit)
| tstats count where index IN (index1, index2, index3) by _time , host | where match(host,"^.*.device.mycompany.com$")
Got a great looking s...
I am wondering why tstats command alters time stamps when I run it by _time.
| tstats values(text_len) as text_len values(ts) as ts where index = data sourcetype = cdr by _time t...
I can search my way into finding the result of a log clearing event bit if I use a data model with tstats it doesn't show. I think this might be because the action shows as action=deleted but the r...
Dears,
We need your support to convert below search to tstats search.
(index=os_windows OR index=workstation*) tag=authentication user!=*$ action=success EventCode=4624 Logon_Type=10 O...
Hello, I have below TSTATS command which is checking the specifig index population with events per day: | tstats count WHERE (index=_internal AND sourcetype=splunkd) OR (index=B) by host,s...