Splunk® Enterprise

Search Reference

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

tstats

Use the tstats command to perform statistical queries on indexed fields in tsidx files, which could come from normal index data, tscollect data, or accelerated datamodels.

Synopsis

Performs statistics on indexed fields in tsidx files.

Syntax

tstats [prestats=<bool>] [local=<bool>] [append=<bool>] [summariesonly=<bool>] <aggregate-opt> <stats-func>... [ FROM ( <namespace> | sid=<tscollect-job-id> | datamodel=<datamodel-name> )] [WHERE <search-query>] [( by | GROUPBY ) <field-list> [span=<timespan>] ]

Required arguments

<stats-func>...
Syntax: count(<field>) | <function>(<field>) [AS <string>]
Description: Either perform a basic count of a field or perform a function on a field. For a list of the supported functions for the tstats command, refer to the table below. You can specify one or more functions. You can also rename the result using the AS keyword, unless you are in prestats mode. You cannot use wildcards to specify field names. You cannot use a BY clause with the tstats command. See Usage.
The following table lists the supported functions by type of function. For descriptions and examples, see Statistical and charting functions.
Type of function Supported functions and syntax
Aggregate functions avg()

count()
distinct_count()
estdc()

max()

median()
min()
mode()

perc<int>

range()
stdev()
stdevp()

sum()

sumsq()
var()
varp()

Event order functions earliest()
first()
last()
latest()
Multivalue stats and chart functions list(X)
values(X)
namespace
Syntax: <string>
Description: Define a location for the tsidx file with $SPLUNK_DB/tsidxstats. This namespace location is also configurable in indexes.conf, with the attribute tsidxStatsHomePath.
sid
Syntax: sid=<tscollect-job-id>
Description: The job ID string of a tscollect search (that generated tsidx files).
datamodel
Syntax: datamodel=<datamodel-name>
Description: The name of an accelerated data model.

Optional arguments

append
Syntax: append=<bool>
Description: When in prestats mode (prestats=t), enables append=t where the prestats results append to existing results, instead of generating them.
local
Syntax: local=<bool>
Description: If true, forces the processor to be run only on the search head. Defaults to false.
prestats
Syntax: prestats=<bool>
Description: Use this to output the answer in prestats format, which enables you to pipe the results to a different type of processor, such as chart or timechart, that takes prestats output. This is very useful for creating graph visualizations. Defaults to false.
summariesonly
Syntax: summariesonly=<bool>
Description: Only applies when selecting from an accelerated datamodel. If true, this will only generate results from the tsidx data that has been automatically generated by the acceleration. If false, also generates results from search for missing tsidx data. Defaults to false.
<field-list>
Syntax: <field>, <field>, ...
Description: Specify a list of fields to group results.

Description

The tstats command is a generating processor, so it must be the first command in a search pipeline except in append mode (append=t).

Use the tstats command to perform statistical queries on indexed fields in tsidx fields. You can select from data in several different ways:

1. Normal index data: If you do not supply a FROM clause (to specify a namespace, search job ID, or datamodel), Splunk selects from index data in the same way as search. You are restricted to selecting from your allowed indexes by role, and you can control exactly which indexes you select from in the WHERE clause. If no indexes are mentioned in the WHERE clause search, Splunk uses the default index(es). By default, role-based search filters are applied, but can be turned off in limits.conf.

2. Data manually collected with tscollect: Select from your namespace with FROM <namespace>. If you didn't supply a namespace to tscollect, the data was collected into the dispatch directory of that job. In that case, select from that data with FROM sid=<tscollect-job-id>.

3. A high-performance analytics store (collection of .tsidx data summaries) for an accelerated data model: Select from this accelerated data model with FROM datamodel=<datamodel-name>.

You might see a count mismatch in the events retrieved when searching tsidx files. This is because it's not possible to distinguish between indexed field tokens and raw tokens in tsidx files. On the other hand, it is more explicit to run tstats on accelerated datamodels or from a tscollect, where only the fields and values are stored and not the raw tokens.

Filtering with where

You can provide any number of aggregates (aggregate-opt) to perform and also have the option of providing a filtering query using the WHERE keyword. This query looks like a normal query you would use in the search processor.

Grouping by _time

You can provide any number of GROUPBY fields. If you are grouping by _time, you should supply a timespan with span for grouping the time buckets. This timespan looks like any normal timespan in Splunk, such as span='1hr' or '3d'. It also supports 'auto'.

Examples

Example 1: Gets the count of all events in the mydata namespace.

| tstats count FROM mydata

Example 2: Returns the average of the field foo in mydata, specifically where bar is value2 and the value of baz is greater than 5.

| tstats avg(foo) FROM mydata WHERE bar=value2 baz>5

Example 3: Gives the count by source for events with host=x.

| tstats count where host=x by source

Example 4: Gives a timechart of all the data in your default indexes with a day granularity.

| tstats prestats=t count by _time span=1d | timechart span=1d count

Example 5: Use prestats mode in conjunction with append to compute the median values of foo and bar, which are in different namespaces.

| tstats prestats=t median(foo) from mydata | tstats prestats=t append=t median(bar) from otherdata | stats median(foo) median(bar)

See also

stats, tscollect

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the tstats command.

PREVIOUS
tscollect
  NEXT
typeahead

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.2.13, 6.2.14, 6.2.15


Comments

Missing description of "local=" as used by ES.

Sowings splunk, Splunker
January 8, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters