Step Up Your Search: Exploring the Splunk tstats Command

If you’re running Splunk Enterprise Security, you’re probably already aware of the tstats command but may not know how to use it. Similar to the stats command, tstats will perform statistical queries on indexed fields in tsidx files. Significant search performance is gained when using the tstats command, however, you are limited to the fields in indexed data, tscollect data, or accelerated data models.

The Power of tstats

Let’s take a simple example to illustrate just how efficient the tstats command can be. For this example, the following search will be run to produce the total count of events by sourcetype in the window’s index.

| stats count by sourcetype
| sort 5 -count
| eval count=tostring('count',"commas")

This search will output the following table.

Figure 1 - Table produced by the first search.

Figure 1 – Table produced by the first search.

By looking at the job inspector we can determine the search efficiency.

Figure 2 - Job inspector for first search. 

Figure 2 – Job inspector for first search.

This search took almost 14 minutes to run. We can calculate the Events Per Second (EPS) by dividing the event scanned by the number of seconds taken to complete. This can be helpful when determining search efficiency. The EPS for this search would be just above 228 thousand, a respectable number.

By converting the search to use the tstats command there will be an instant, notable difference in search performance.

| tstats count where index=windows by sourcetype

| sort 5 -count

| eval count=tostring('count',"commas")

This search will provide the same output as the first search. However, if we take a look at the job inspector, we will see an incredible difference in search efficiency.

Figure 3 - Search job inspector for tstats command search. 

Figure 3 – Search job inspector for tstats command search.

Here we can see that the same number of events were scanned but it only took 1.342 seconds to complete! That’s an EPS of about 142 million.

Implement tstats

The tstats command is most commonly used with Splunk Enterprise Security. Anytime we are creating a new correlation search to trigger a notable event, we want to first consider if we can utilize the tstats command. The basic usage of this command is as follows, but the full documentation of how to use this command can be found under Splunk’s Documentation for tstats.

| tstats <stats-function> from datamodel=<datamodel-name> where <where-conditions> by <field-list> 

| tstats `summariesonly` count from datamodel=Intrusion_Detection.IDS_Attacks where IDS_Attacks.severity=high OR IDS_Attacks.severity=critical by IDS_Attacks.src, IDS_Attacks.dest, IDS_Attacks.signature, IDS_Attacks.severity 

| `drop_dm_object_name(IDS_Attacks)`
Figure 4 - Output of example tstats search for Intrusion detection data. 

Figure 4 – Example tstats search for Intrusion detection data.

Notice in the example search that the dataset name “IDS_Attacks” is prepended to each field in the query. This is a requirement when searching accelerated data from the data models. Only the fields that are in the accelerated data models can be used. To find out more about the fields contained in the data models for ES see the documentation for Splunk’s Common Information Models (CIM).

Getting Unstuck

Understanding and correctly implementing the tstats command can significantly improve the performance of the searches being run. This command should always be considered when creating new correlation searches to improve search efficiency and overall performance of ES.

Kinney Group Splunk consultants are highly experienced and know how to get you “unstuck.” Fill out the form below to learn more about our expert Splunk solutions.

Start typing and press Enter to search