Hi All,
I tried running the two SPLs below for same index and time range, but got two very different set of results: -
SPL 1: -
|tstats values(host) where index=xxx
SPL 2: -
index=xxx |stats values(host)
In SPL 1, I get one value.
In SPL 2. I get six values.
I also tried to run the following: -
index=xxx
Checked the fields panel on the left hand side and the host field had values same as SPL 2.
Thus, please help to share why the above was observed and how it can be resolved.
Thank you
In this case, you are not using Data Model (and Acceleration) syntax, so I will ignore that use case.
A tstats command uses data from the tsidx file(s). One of the means that data is put into the tsidx file(s) is index-time extractions. If the data has NOT been index-time extracted, tstats will not find it.
https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Tstats
The index=xxx | stats ... function first of all reads ALL data from the index=xxx and THEN performs the stats function on that resulting data.
https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Stats
My theory is that the other 5 host regions do not have index-time extractions performed.
I recommend that you check your props.conf and accompanying transforms.conf file to determine which hosts have index-time field extractions. I suspect you will only find the one host.
Best of luck to you. This type of question and investigation is critical to more efficient uses of Splunk. So keep asking!!
The host field is not being extracted on index time, it is being extracted at search time on search head cluster.
As the results, tstats command was not getting the values.
Thank you all for sharing your valuable inputs.
In this case, you are not using Data Model (and Acceleration) syntax, so I will ignore that use case.
A tstats command uses data from the tsidx file(s). One of the means that data is put into the tsidx file(s) is index-time extractions. If the data has NOT been index-time extracted, tstats will not find it.
https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Tstats
The index=xxx | stats ... function first of all reads ALL data from the index=xxx and THEN performs the stats function on that resulting data.
https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Stats
My theory is that the other 5 host regions do not have index-time extractions performed.
I recommend that you check your props.conf and accompanying transforms.conf file to determine which hosts have index-time field extractions. I suspect you will only find the one host.
Best of luck to you. This type of question and investigation is critical to more efficient uses of Splunk. So keep asking!!
In some version there is a bug with using tstats with _internal index. See e.g. https://community.splunk.com/t5/Splunk-Enterprise/what-makes-tstats-on-internal-go-wrong/m-p/572087
r. Ismo
Probably some of the data is not being indexed properly. Please check this out
Thank you @splunkxorsplunk for sharing your inputs.
Can you please share how I can resolve the issue? I was unable to follow the solution given in the thread you shared.
Thank you