Solved: Re: help on tstats command

jip31 · ‎03-18-2020

hello
I use the stats command below in order to count the number of index on which an host collect events

| stats dc(index) AS "Number of index" BY host

Now I need to use stats instead tstats
So I am doing something like

| tstats dc(index) as "Number of index"

but when I am doing this I have an error message
Error in 'TsidxStats': Aggregations are not supported for index, splunk_server and splunk_server_group"
what is the problem please???

niketn · ‎03-18-2020

Try the following (which includes all non internal indexes and returns results from indexes you have access to):

| tstats count where index=* by host index
| stats dc(index) by host

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎03-18-2020

Try the following (which includes all non internal indexes and returns results from indexes you have access to):

| tstats count where index=* by host index
| stats dc(index) by host

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jip31 · ‎03-18-2020

perfect niket! thanks

help on tstats command

stats

tstats

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...