Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why can't tstats search sourcetype field specifically?

hketer
Path Finder
‎03-06-2022 08:40 AM

Hi All,

I'm running the query 

| tstats count where index=<index name> by sourcetype

No results  
OR 

| tstats values(sourcetype) where index=<index name> by index

and the results for values(sourcetype) is null\empty.

I have up to date data with  no delays in indextime .

I've checked the fields.conf on indexers and I do see the field [sourcetype]

**Also there are sourcetypes that does work and I see the field 

Any ideas how to check this? or what can be the issue?

 

Thanks,
Hen

Labels (1)
Labels
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎03-13-2022 09:16 PM

I tried:

| tstats values(sourcetype) where index=_internal by index

That works and | tstats count where index=_internal by sourcetype

Also works on 8.2.0

 

Did you have the time range set correctly to find data?

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...