I want to count the events from dc server hosts by hour using tstats:
| tstats count where host="srv*dc*" by host GROUPBY _time span=1h
I know that tstats is fast because it uses tsidx files with summary field data about the events for the indexed fields: _time, host, index, etc. without opening each event and looking at the _raw field. I am interested in learning how to get tstats to do this job instead of using index=_internal or | metadata so that I can understand how stats works and where it performs best.
The results of the search above are: No results found. This is true with the where clause removed as well. How can I quickly generate an hourly count of dc hosts using tstats?
Hi landen99,
take a look at the docs http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Tstats it will tell you this:
tstats [prestats=<bool>] [local=<bool>] [append=<bool>] [summariesonly=<bool>] [allow_old_summaries=<bool>] [chunk_size=<unsigned int>] <stats-func> [ FROM ( <namespace> | sid=<tscollect-job-id> | datamodel=<datamodel-name> )] [WHERE <search-query>] [( by | GROUPBY ) <field-list> [span=<timespan>] ]
the importent part here is this:
( by | GROUPBY )
So you either can use by
OR GROUPBY
but not both in one search. Try this
| tstats count where host="srv*dc*" GROUPBY _time span=1h
or
| tstats count where host="srv*dc*" by _time span=1h
hope this helps ...
cheers, MuS
Hi landen99,
take a look at the docs http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Tstats it will tell you this:
tstats [prestats=<bool>] [local=<bool>] [append=<bool>] [summariesonly=<bool>] [allow_old_summaries=<bool>] [chunk_size=<unsigned int>] <stats-func> [ FROM ( <namespace> | sid=<tscollect-job-id> | datamodel=<datamodel-name> )] [WHERE <search-query>] [( by | GROUPBY ) <field-list> [span=<timespan>] ]
the importent part here is this:
( by | GROUPBY )
So you either can use by
OR GROUPBY
but not both in one search. Try this
| tstats count where host="srv*dc*" GROUPBY _time span=1h
or
| tstats count where host="srv*dc*" by _time span=1h
hope this helps ...
cheers, MuS
Hi MuS,
I have similar query, can you please check below question,
https://answers.splunk.com/answers/770370/how-to-get-tstats-results-independent-of-time-rang.html
This will:
| tstats count where host="srv*dc*" by host, _time span=1h
perfect. thank you.
People should keep in mind that the where clause is for the search query. In many cases, an index needs to be specified, just as with any search query.
| tstats count where index=myindex host="srv*dc*" by host _time span=1h
Will that generate hourly counts for each host?