Solved: Tstats with a different field

curry59 · ‎06-16-2017

Hello,

I recently setup a summary index. I'm searching with "tstats" in that summary index to get a single integer of the associated servers that are up/down. My search works with "host=($SERVERNAME)", but I would like to use a different field than "host" which would be "orig_host". Below is my search that works with "host", but seem to cant get it working with "orig_host" instead of "host". Does "tstats" only work with host, source and sourcetype only?

| tstats latest(_time) as latest where host=($SERVERNAME) by host
| eval noDataTime = now() - latest
| eval status = if(noDataTime>600,"HOST DOWN" ,if(noDataTime>300,"Warning","Available"))
| stats count(eval(status="Available")) AS Available

Thank you!

rjthibod · ‎06-16-2017

Tstats only works with the index-time fields and the raw data.

So, unless you are setting up "orig_host" as an index-time field, your only chance to include the raw search text for the "orig_host" field. Still, you are limited to just searching the raw text string of "($SERVERNAME)". You get no guarantees because tstats will return the value for any event that includes that string.

| tstats latest(_time) as latest where "($SERVERNAME)" by host

View solution in original post

rjthibod · ‎06-16-2017

Tstats only works with the index-time fields and the raw data.

So, unless you are setting up "orig_host" as an index-time field, your only chance to include the raw search text for the "orig_host" field. Still, you are limited to just searching the raw text string of "($SERVERNAME)". You get no guarantees because tstats will return the value for any event that includes that string.

| tstats latest(_time) as latest where "($SERVERNAME)" by host

Tstats with a different field

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases