- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: tstats uberagent data 2 options for where clau...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I use tstats with 2 options for where clause
ie:
| tstats dc(host) as hosts where index=uberagent AppName=StoreFront groupby host
Does not work
works if I remove AppName=...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Only index-time fields can be used with tstats. AppName is unlikely to be an index-time field (and you probably shouldn't make it an index-time field). Also, I don't think you should have the "groupby host" at the end.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Only index-time fields can be used with tstats. AppName is unlikely to be an index-time field (and you probably shouldn't make it an index-time field). Also, I don't think you should have the "groupby host" at the end.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@lguinn is right as usual. @smudge797, the uberAgent app uses data models extensively. There is probably an accelerated datamodel object that contains what you need, i.e., the AppName field. If so, then you can create a tstats or pivot search to give you what you want, but you will have to tailor the syntax to that datamodel object.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks all that makes sense now and I do see this in uberagent docs;
Source type:
uberAgent:Application:ApplicationUsage
Field list:
AppName, UserName, AppVersion, RemotingClientName
Any tips on the query to run tstats against the DM?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think it would be this
| tstats dc(host) as hosts from datamodel="uberAgent.Application_ApplicationUsage" where nodename="Application_ApplicationUsage" Application_ApplicationUsage.AppName="StoreFront" by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks this is what i came up with pivoting off the uberagent DM
|tstats dc(host) AS "Distinct Count of host" from datamodel=uberAgent.Application_ApplicationUsage where (nodename = Application_ApplicationUsage) groupby Application_ApplicationUsage.AppName prestats=true | addinfo type=count label=prereport_events | fields keepcolorder=t "Application_ApplicationUsage.AppName" "host" "prestats_reserved_" "psrsvd_" | prestats dedup_splitvals=t distinct_count(host) by "Application_ApplicationUsage.AppName"
Thanks all
Your Guide to SPL2 at .conf24!
Get ready to show some Splunk Certification swagger at .conf24!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
