Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to add a non existing field in tstats command?

whitefang1726
Path Finder
‎04-05-2022 07:29 PM

Hello, 

I looking for options to add a non-existing field in tstats command. The scenario is the field doesn't exist. Normally I create regex for searches, however, it doesn't work similar with tstats.

Example Query:

index=something sourcetype=something:something
| rex field=source".....(?<new_field>[0-9A-Z]+)"

This command will create new_field  field based on source field.

For tstats, the idea should be.. 

| tstats count max(_time) as _time where ....

 

 

Is this possible? Sorry for the lack of details.

Labels (1)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-05-2022 10:55 PM

@whitefang1726 - It depends. If all the fields you need are indexed fields then yes you can do it.

For example, you just need to count by new_field extracted from source then you can use something like below query:

| tstats count where index=something sourcetype=something:something by source
| rex field=source ".....(?<new_field>[0-9A-Z]+)"
| stats sum(count) as count by new_field

 

I hope this helps!!

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎04-05-2022 08:22 PM

tstats only for indexed fields. rex is a search-time.

Refer - https://docs.splunk.com/Documentation/Splunk/8.2.5/Data/Configureindex-timefieldextraction

after successful creation you can use the field in tstats.

--

Hope it helps!

Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...