tstats command: Overview, syntax, usage

The SPL2 tstats command performs searches on indexed fields in tsidx files using statistical functions. The indexed fields can be from indexed data or accelerated data models.

The SPL2 tstats command searches on indexed fields in tsidx files using statistical functions. The indexed fields can be from indexed data or accelerated data models.

Syntax

The syntax for the SPL2 tstats command is different, but with similar capabilities, than the SPL version of the tstats command.

The required syntax is in bold.

| tstats

aggregates=[function-expression, ...]

datamodel_name='data_model_name.root_dataset_name'

predicate=(predicate-expression)

byfields=[field...]

Required parameters

aggregates

Syntax: aggregates=[function-expression, ...]

Description: One or more function expression from the list of supported statistical functions. See Quick Reference for SPL2 Stats and Charting Functions. Separate multiple function expressions with commas. You must enclose the function-expression in square brackets [ ].

Optional parameters

datamodel_name

Syntax: datamodel_name='data_model_name.root_dataset_name'

Description: The name of the data model and the root dataset name. Names with special characters, such as periods or dashes, must be enclosed in single quotation marks. Specify node names in the predicate parameter. For example: nodename = 'root_dataset_name.....target_dataset_name'.

Default: None

predicate

Syntax: predicate=(predicate-expression...)

Description: One or more predicate expressions. Use logical operators, such as AND or OR, to separate multiple predicate expressions. See Predicate expressions in the SPL2 Search Manual. The predicate-expression must be enclosed in parentheses ( ).

Note: If no indexes are specified in the predicate, all of the indexes that you have access to in your module are searched.

Default: All indexes you have access to in your module.

byfields

Syntax: byfields=[field, ...]

Description: A comma-separated list of one or more field names to group the results by. You must enclose the field names in square brackets [ ]. You cannot use wildcards in the field names.

Default: None

Usage

Because only index-time fields are searched instead of raw events, the SPL2 tstats command is faster than the stats command.

By default, the SPL2 tstats command runs over accelerated and unaccelerated data models.

The SPL2 tstats command does not support the following arguments that are used with the SPL version of the tstats command:

  • prestats

  • local

  • append

  • summariesonly

  • include_reduced_buckets

  • allow_old_summaries

  • chunk_size

  • fillnull_value

See also

tstats command

tstats command: Examples