Solved: How to get tstats results non-case sensitive?

splunkreal · ‎03-12-2018

Hello,

how to get tstats results non-case sensitive?

| tstats latest(_time) as latest,earliest(_time) as earliest WHERE index = * by host source

will output me (example) :

oraserver /var/log/messages 15200000
ORASERVER /var/log/messages 16000000

as hosts changed from Splunk forwarder agent (OS update)

Unfortunately stats command is too slow so we can't use it.

Thanks.

* If this helps, please upvote or accept solution 🙂 *

tiagofbmm · ‎03-12-2018

Well tstats really needs to be the first command in the search so, what I would suggest to you is:

After the tstats command, use an eval host=lower(host), eval source=lower(source), and then redo the same calculation (which is now very light because you;ll have very few results, like this:

| tstats latest(_time) as latest,earliest(_time) as earliest WHERE index = * by host source
| eval host=lower(host), source=lower(source)
| stats latest(_time) as latest,earliest(_time) by host source

View solution in original post

tiagofbmm · ‎03-12-2018

Well tstats really needs to be the first command in the search so, what I would suggest to you is:

After the tstats command, use an eval host=lower(host), eval source=lower(source), and then redo the same calculation (which is now very light because you;ll have very few results, like this:

| tstats latest(_time) as latest,earliest(_time) as earliest WHERE index = * by host source
| eval host=lower(host), source=lower(source)
| stats latest(_time) as latest,earliest(_time) by host source

splunkreal · ‎03-12-2018

Almost there! I changed stats latest(_time) by stats max(latest),stats min(earliest) and it works 🙂 Thanks a lot.

tstats should be flexible though.

* If this helps, please upvote or accept solution 🙂 *

How to get tstats results non-case sensitive?

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2