Splunk Search

How to use custom key field in tstats?

GaryZ
Path Finder
I'm having trouble capturing the custom key - "UserKey_ABC" in the following script.   With the following code, I'm not able to see any results.  However, if I remove "UserKey_ABC", I am able to get the results.  I'm certain I do have this key in my events.  How do I approach this issue?
 
| tstats count where index=abc  Arguments.email=“myemail@abc.com" by 
                     device_build, Arguments.test_url, UserKey_ABC
                     
| rename UserKey_ABC.Day as day, 
                     UserKey_ABC.job1 as job1,
                     UserKey_ABC.Version as version, 
                     Arguments.test_url as test_url, 
                     device_build as build
                     
| table build, lib, day, job1, version, test_url
Labels (5)
0 Karma

GaryZ
Path Finder

@yuanliu I'm fairly new to Splunk this year.   Can you explain what you mean?  - "You can still use the fields in statistical functions"

I've tried 

| tstats count where index=abc  Arguments.email=“myemail@abc.com" by 
                     device_build, Arguments.test_url, UserKey_ABC.job1
 
| rename UserKey_ABC.Day as day, 
                     UserKey_ABC.job1 as job1
 
But that didn't work for me either.

Thanks.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

That's because at index time (when Splunk ingests data), fields like UserKey_ABC.job1 doesn't exist.  They are extracted at search time by some mechanism, but do not exist in indexer.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

tstats only operates on indexed fields.  You can still use the fields in statistical functions.  So, you need to define how you want to see these values, and you cannot use them in groupby.

 

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...