Splunk Search

How to use tstats in search?

Vani_26
Path Finder

Hi all
when i run my original query i am getting one result and when i execute the same query using tstats i am getting different output.
AVG IS NOT MATCHING.
how to modify the query to match the count.

my original query:

 

 

index=apl-cly-sap   sourcetype=cly:app:sap  |search processName="applicationstatus"  |stats avg(plantime)

 

 

output:
1233.43223454

 
tstats query:

 

 

|tstats count where index=apl-cly-sap   sourcetype=cly:app:sap  TERM(processName=applicationstatus) by PREFIX(plantime=)
|rename plantime= as Time
 |stats avg(Time)

 

 


output:
1345.7658755

Labels (2)
Tags (2)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

That is because your second query (with tstats) is equivalent to

index=apl-cly-sap   sourcetype=cly:app:sap
|search processName="applicationstatus"
| stats count by plantime
| stats avg(plantime)

which is semantically different from your first one.

Unless plantime is extracted at index time, there is no way to do avg on this field in tstats.

Vani_26
Path Finder

@yuanliu What you said is correct, but when i use tstats i am getting avg of plantime but not matching the count with  original query.

As per my knowledge, when i run a tstats query if the field is not an index time field it will throw error and not show any results.
But here i am getting the results but avg of plantime is not matching. if i am getting results means the plantime is indextime field right?

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Your first search is semantically equivalent to this tstats (provided that all values of the field processName are extracted from key-value pair with equal sign):

 

| tstats avg(plantime) where index=apl-cly-sap sourcetype=cly:app:sap  TERM(processName=applicationstatus)

 

Do you mean you get non-null result from the above that is different from your first search?

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...