How do I use tstats with 2 options for where clause
ie:
| tstats dc(host) as hosts where index=uberagent AppName=StoreFront groupby host
Does not work
works if I remove AppName=...
Only index-time fields can be used with tstats. AppName is unlikely to be an index-time field (and you probably shouldn't make it an index-time field). Also, I don't think you should have the "groupby host" at the end.
Only index-time fields can be used with tstats. AppName is unlikely to be an index-time field (and you probably shouldn't make it an index-time field). Also, I don't think you should have the "groupby host" at the end.
@lguinn is right as usual. @smudge797, the uberAgent app uses data models extensively. There is probably an accelerated datamodel object that contains what you need, i.e., the AppName
field. If so, then you can create a tstats
or pivot
search to give you what you want, but you will have to tailor the syntax to that datamodel object.
Thanks all that makes sense now and I do see this in uberagent docs;
Source type:
uberAgent:Application:ApplicationUsage
Field list:
AppName, UserName, AppVersion, RemotingClientName
Any tips on the query to run tstats against the DM?
Thanks!
I think it would be this
| tstats dc(host) as hosts from datamodel="uberAgent.Application_ApplicationUsage" where nodename="Application_ApplicationUsage" Application_ApplicationUsage.AppName="StoreFront" by host
Thanks this is what i came up with pivoting off the uberagent DM
|tstats dc(host) AS "Distinct Count of host" from datamodel=uberAgent.Application_ApplicationUsage where (nodename = Application_ApplicationUsage) groupby Application_ApplicationUsage.AppName prestats=true | addinfo type=count label=prereport_events | fields keepcolorder=t "Application_ApplicationUsage.AppName" "host" "prestats_reserved_" "psrsvd_" | prestats dedup_splitvals=t distinct_count(host) by "Application_ApplicationUsage.AppName"
Thanks all