I understand that tstats will only work with indexed fields, not extracted fields. How can I determine which fields are indexed? For example, in my IIS logs, some entries have a "uid" field, others do not. Tstats does not work with uid, so I assume it is not indexed. But I would like to be able to create a list. Is there some way to determine which fields tstats will work for and which it will not?
Also, is there a way to add a field to the index (like by editing a .conf file?)?
Thanks in advance for your help!
... View more
I am storing some performance counters in splunk. The data gets written one or more times per day (though not necessarily at the exactly the same time each day) and the totals are cumulative for multiple days.
For example, the data may include "total_worker_time" for various stored procedures which we can assume will be an ever-increasing value. I would like to chart the change in this value over time per stored procedure to show how much work time was spent on a particular day for each stored procedure. For each day, I want to find the maximum value by subtracting the maximum previous day's value to find the delta.
I know I can do:
<...mysearch...>| timechart max(total_worker_time) span=1d by procname
to return the cumulative total for each procname like this:
_time Proc1 Proc2
2018-01-16 29710092875 4354587351
2018-01-17 54315798685 5977664529
2018-01-18 78055137053 7739773570
but I'd rather return the difference like this:
DATE Proc1Delta Proc2Delta
1/16/2018 no prev value no prev value
1/17/2018 24605705810 1623077178
1/18/2018 23739338368 1762109041
Is this possible?
... View more