| tstats count where index=foo by sourcetype Splunk doesn't store data in tables so there's no equivalent to a SQL table dump. You can use the fieldsummary command to see what fields are in the index along with their values. index = foo | fieldsummary ---If this reply helps you...
If you use verbose mode to search a VIX, note that Splunk Analytics for Hadoop does not start a MapReduce job for that search. This is because verbose mode searches search for all events as well as any reports that you might be running. The benefits of MapReduce jobs in that ca...
You should do a quick tstats to see if that lives in your data 0 Karma Reply diogofgm SplunkTrust 06-04-2018 04:14 AM its easier to tell what are you looking to accomplish. ---Hope I was able to help you. If so, some karma would be appreciated. 0 Karma Reply abhi...
We've been using stand alone indexers for three years and only in the last few week do we have a multisite indexer clustering turned on. Splunk has done a great job since 5.2.x where making many changes to props and transforms don't require a restart to take e...
As far as I can tell, If the datamodel is accelerated, Splunk will use the accelerated data where it can and then search against the underlying data. If the data model is not accelerated and you use summariesonly=f: Results return normally. When using tstats, do all ...
| tstats count WHERE index=* by host | table host or | metadata type=hosts index=* | table host 0 Karma Reply heats Explorer 12-23-2016 06:17 AM AMAZING! Is the second one just all of the servers that have Splunk forwarder installed but aren't curre...
You can use tstats command to reduce search processing Internal Logs for Splunk can be checked and correlated with TCPOutput to see if it is failing Internal Logs for Splunk and correlate with connections being phoned in with the DS. A UF should communicate with DS ever...
Fill in your number of events, rep & search factors... Here's a search that will do the math for you, if you enable punct: | tstats count where index=* OR index=_* by punct index | eval bytes=len(punct)*count | eval replicationFactor=2 | eval searchFactor=3 | stats sum...
hope it leads you in the right direction 1 Karma Reply danielbb Motivator 09-25-2019 02:17 PM Thank you @adonio. When running - | tstats count as event_count by splunk_server _time span=1d | timechart span=1d max(event_count) as total_events by splunk_s...
You're correct, the option summariesonly is a macro created by your Splunk administrator and my guess will be that it sets the option summariesonly of tstats command to true. (check the tstats link for more details on what this option does). The macro names are custom (...