The tstats command in Splunk is optimized for performance and has specific limitations regarding the use of wildcards.
According to Splunk Documentation:
"The tstats command does not support wildcard characters in field values in aggregate functions or BY clauses."
"You can use wildcards in the where clause to filter results."
This means that while wildcards are not permitted in the by or from clauses, they can be effectively used within the where clause to filter data based on pattern matching.
[Reference:tstats - Splunk Documentation, ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit