- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to make tstats prestats=true with values() and...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've been using tstats in many queries that I run against accelerated data models, however most of the time I use it with a simple count() function in the following format:
| tstats prestats=true count AS count FROM datamodel=... WHERE ... BY ...
| eval ...
| lookup ...
| stats count BY ...
This time, I will need to add sum() and values() functions to the tstats, but it seems I am unable to get it working.
If someone could take a look at the queries and let me know what I am doing wrong, that would be great.
The following query (using prestats=false option) works perfectly and produces output (i.e. the reason, duration, sent and rcvd fields all have correct values).
| tstats prestats=false
values(Traffic.reason),
sum(Traffic.duration),
sum(Traffic.sent),
sum(Traffic.rcvd),
count AS count
FROM
datamodel=Network_Log.Traffic
BY
_time span=auto
| rename
"values(Traffic.reason)" AS reason,
"sum(Traffic.duration)" AS duration,
"sum(Traffic.sent)" AS sent,
"sum(Traffic.rcvd)" AS rcvd
When I try to re-write the above query with the prestats=true option and use stats to summarize on the prestats format, the reason, duration, sent, and rcvd fields are all null. The count field is calculated correctly and displayed in the statistics table.
| tstats prestats=true
values(Traffic.reason),
sum(Traffic.duration),
sum(Traffic.sent),
sum(Traffic.rcvd),
count AS count
FROM
datamodel=Network_Log.Traffic
BY
_time span=auto
| rename
"values(Traffic.reason)" AS reason,
"sum(Traffic.duration)" AS duration,
"sum(Traffic.sent)" AS sent,
"sum(Traffic.rcvd)" AS rcvd
| stats values(reason) AS reason, sum(duration) AS duration, sum(sent) AS sent, sum(rcvd) AS rcvd, count by _time
By the way, I followed this excellent summary when I started to re-write my queries to tstats, and I think what I tried to do here is in line with the recommendations, i.e. I repeated the same functions in the stats command that I use in tstats and used the same BY clause.
Regards,
Robert
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It might be useful for someone who works on a similar query. I understand why my query returned no data, it all got to do with the field name as it seems rename didn't take effect on the pre-stats fields.
The correct query is the one below.
| tstats prestats=true
values(Traffic.reason),
sum(Traffic.duration),
sum(Traffic.sent),
sum(Traffic.rcvd),
count AS count
FROM
datamodel=Network_Log.Traffic
BY
_time span=auto
| stats values(Traffic.reason) AS reason, sum(Traffic.duration) AS duration, sum(Traffic.sent) AS sent, sum(Traffic.rcvd) AS rcvd, count by _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It might be useful for someone who works on a similar query. I understand why my query returned no data, it all got to do with the field name as it seems rename didn't take effect on the pre-stats fields.
The correct query is the one below.
| tstats prestats=true
values(Traffic.reason),
sum(Traffic.duration),
sum(Traffic.sent),
sum(Traffic.rcvd),
count AS count
FROM
datamodel=Network_Log.Traffic
BY
_time span=auto
| stats values(Traffic.reason) AS reason, sum(Traffic.duration) AS duration, sum(Traffic.sent) AS sent, sum(Traffic.rcvd) AS rcvd, count by _time
Technical Workshop Series: Splunk Data Management and SPL2 | Register here!
Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk
Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability
