Solved: tstats not working on all index time fields?

moneybox · ‎06-14-2018

I have a python script (requests and post) that sends json events to an Indexer using HTTP Event Collector (HEC).
I can perform searches like

| tstats count where host=XXX by sourcetype
yet I cannot perform tstats searches on fields inside the event, even though they are json fields that are extracted in index time.

How can I make sure a search like

| tstats count where host=XXX by json_field_1
will work ?

Thank you

cpetterborg · ‎06-14-2018

Unless you have the JSON field you want INDEXED, you will not be able to use it in a tstats command. tstats can only work of things that are in the tsidx file (like source, sourcetype, index, host, _time, etc.) and those fields which are indexed (so that means the field extractions would have to be done through the props.conf files on the indexers). If that is not the case in this instance, then you cannot use something like json_field_1 in that search.

View solution in original post

cpetterborg · ‎06-14-2018

Unless you have the JSON field you want INDEXED, you will not be able to use it in a tstats command. tstats can only work of things that are in the tsidx file (like source, sourcetype, index, host, _time, etc.) and those fields which are indexed (so that means the field extractions would have to be done through the props.conf files on the indexers). If that is not the case in this instance, then you cannot use something like json_field_1 in that search.

tstats not working on all index time fields?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases