Solved: Whaat is the tstats dynamic way to set the value o...

kelz · ‎06-02-2022

Hi Splunkers,

I was wondering if this is possible on tstats command. Get the dynamic value from savedsearch result or lookup? savedsearch or lookup is updating every hour.

| tstats max(_time) as last_updated WHERE index=* BY index, host

To avoid wildcard.. I was thinking it will be efficient if that is possible.

Appreciate any response.. Thanks!

rymundo_splunk · ‎06-03-2022

Hi, maybe something like

|tstats count where [|makeresults | eval index="_internal"|fields index] by index, host

That subsearch can return a field named index which then gets used for tstats. Hope this helps.

View solution in original post

rymundo_splunk · ‎06-03-2022

Hi, maybe something like

|tstats count where [|makeresults | eval index="_internal"|fields index] by index, host

That subsearch can return a field named index which then gets used for tstats. Hope this helps.

kelz · ‎06-03-2022

Thank you so much @rymundo_splunk it works!

Whaat is the tstats dynamic way to set the value on index to prevent wildcard?

tstats

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Whaat is the tstats dynamic way to set the value on index to prevent wildcard?

tstats

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability