Counting the fields using the default tstats settings

The following example specifies only the required parameters. Aggregates must be enclosed in square brackets ( [ ] ). However, because no indexes are specified, the search performs a count of the fields for all of the indexes in the module.

| tstats aggregates=[count()]

Renaming aggregate function expressions

The following example shows that you can rename the aggregate using the AS keyword. Without renaming, the search results would display the aggregate expression min(_time).

| tstats aggregates=[min(_time) AS min] predicate=(index=myindex)

Specifying a data model in the tstats command

The following example specifies an aggregate and a data model. Because there is a period between the data module name and the root dataset name, the datamodel_name value must be enclosed in single quotation marks:

| tstats aggregates=[count()] datamodel_name='NetworkTraffic.emea'

Specifying the target dataset name in the predicate in a data model

The following example shows how to specify the target dataset name in the predicate in a data model:

| tstats aggregates=[count()] predicate=(nodename='emea.eur.poland') datamodel_name='NetworkTraffic.emea'

Specifying multiple predicates using the AND logical operator

The following example shows how to specify multiple predicates using the AND logical operator:

| tstats aggregates=[avg(bytes)] predicate=(index=sample_events AND host="www3")

Grouping results using the byfields argument

The following example shows how to specify a byfields value, which must be enclosed in square brackets ( [ ] ):

| tstats aggregates=[count()] predicate=(status IN("400", "404", "503")) byfields=[host]

Specifying multiple aggregates in the tstats command

The following example shows how to specify multiple aggregates in the tstats command:

| tstats aggregates=[min(_time) AS min, max(_time) AS max] datamodel_name='Buttercup_Games.Sales'
| eval prettymin=strftime(min, "%c") 
| eval prettymax=strftime(max, "%c")

See also