Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to add a non existing field in tstats command?

whitefang1726
Path Finder
‎04-05-2022 07:29 PM

Hello, 

I looking for options to add a non-existing field in tstats command. The scenario is the field doesn't exist. Normally I create regex for searches, however, it doesn't work similar with tstats.

Example Query:

index=something sourcetype=something:something
| rex field=source".....(?<new_field>[0-9A-Z]+)"

This command will create new_field  field based on source field.

For tstats, the idea should be.. 

| tstats count max(_time) as _time where ....

 

 

Is this possible? Sorry for the lack of details.

Labels (1)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-05-2022 10:55 PM

@whitefang1726 - It depends. If all the fields you need are indexed fields then yes you can do it.

For example, you just need to count by new_field extracted from source then you can use something like below query:

| tstats count where index=something sourcetype=something:something by source
| rex field=source ".....(?<new_field>[0-9A-Z]+)"
| stats sum(count) as count by new_field

 

I hope this helps!!

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎04-05-2022 08:22 PM

tstats only for indexed fields. rex is a search-time.

Refer - https://docs.splunk.com/Documentation/Splunk/8.2.5/Data/Configureindex-timefieldextraction

after successful creation you can use the field in tstats.

--

Hope it helps!

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...