https://community.splunk.com/t5/Splunk-Search/Splunk-Datamodel-tstats-Error/m-p/432855#M123670 <P>if you run a search <CODE>|from datamodel:"Introspection_Usage"</CODE> are you getting any data?</P> Fri, 26 Apr 2019 14:53:54 GMT lakshman239 2019-04-26T14:53:54Z https://community.splunk.com/t5/Splunk-Search/Splunk-Datamodel-tstats-Error/m-p/432854#M123669 <P>Hi All,</P> <P>I have created a datamodel "Introspection_Usage" with global permission with the following dataset as given.</P> <P>Datasets</P> <P>EVENTS<BR /> introspection</P> <P>Disk Objects<BR /> Hostwide Resource Usage<BR /> PerProcess Resource Usage</P> <P>When i edit the fields and preview the fields it works.Example field is "data.cpu_user_pct" and the display name is pct_cpu_user.<BR /> Base search is index=_introspection.<BR /> But when i use the below commands it does not work. It seems tstats is not able to able to do the average calculation ? i have the same issue for other fields. How do i fix the issue or am i missing something ?</P> <P>| tstats avg(Introspection.data.cpu_user_pct) AS CPU_USER FROM datamodel=Introspection_Usage GROUPBY _time host</P> <P>Regards</P> Wed, 30 Sep 2020 00:17:12 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Datamodel-tstats-Error/m-p/432854#M123669 keishamtcs 2020-09-30T00:17:12Z https://community.splunk.com/t5/Splunk-Search/Splunk-Datamodel-tstats-Error/m-p/432855#M123670 <P>if you run a search <CODE>|from datamodel:"Introspection_Usage"</CODE> are you getting any data?</P> Fri, 26 Apr 2019 14:53:54 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Datamodel-tstats-Error/m-p/432855#M123670 lakshman239 2019-04-26T14:53:54Z https://community.splunk.com/t5/Splunk-Search/Splunk-Datamodel-tstats-Error/m-p/432856#M123671 <P>Hi,</P> <P>Yes i see data when i run below command.</P> <P>|from datamodel:"Introspection_Usage" </P> <P>Regards</P> Fri, 26 Apr 2019 15:07:48 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Datamodel-tstats-Error/m-p/432856#M123671 keishamtcs 2019-04-26T15:07:48Z https://community.splunk.com/t5/Splunk-Search/Splunk-Datamodel-tstats-Error/m-p/432857#M123672 <P>we may have to troubleshoot one by one - any results for this if you run for alltime?</P> <PRE><CODE> | tstats count FROM datamodel=Introspection_Usage GROUPBY host _time span=15m </CODE></PRE> Fri, 26 Apr 2019 15:21:52 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Datamodel-tstats-Error/m-p/432857#M123672 lakshman239 2019-04-26T15:21:52Z https://community.splunk.com/t5/Splunk-Search/Splunk-Datamodel-tstats-Error/m-p/432858#M123673 <P>The command works - | tstats count FROM datamodel=Introspection_Usage GROUPBY host _time span=15m</P> <P>Result is given below. The issue is when i use avg,values command.</P> <P>host _time count<BR /> xxxxxxx 2019-04-26 15:15:00 235<BR /> aaaaaa 2019-04-26 15:30:00 750<BR /> bbbbb 2019-04-26 15:45:00 714<BR /> cccccc 2019-04-26 16:00:00 747</P> Fri, 26 Apr 2019 15:28:02 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Datamodel-tstats-Error/m-p/432858#M123673 keishamtcs 2019-04-26T15:28:02Z https://community.splunk.com/t5/Splunk-Search/Splunk-Datamodel-tstats-Error/m-p/432859#M123674 <P>Go to <CODE>Settings</CODE> -&gt; <CODE>Data models</CODE> -&gt; <CODE>&lt;Your Data Model&gt;</CODE> and make a careful note of the string that is directly above the word <CODE>CONSTRAINTS</CODE>; let's pretend that the word is <CODE>ThisWord</CODE>. Then do this:</P> <P>Then do this:</P> <PRE><CODE>| tstats avg(ThisWord.data.cpu_user_pct) AS CPU_USER FROM datamodel=Introspection_Usage GROUPBY _time host </CODE></PRE> <P>P.S. It is trashy, if not downright evil to deliberately create field names with <CODE>spaces</CODE> or <CODE>periods</CODE> ( <CODE>hyphens</CODE> are not quite as bad, by why not use <CODE>underscores</CODE>?). That may also be part of the problem.</P> Sat, 27 Apr 2019 01:15:53 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Datamodel-tstats-Error/m-p/432859#M123674 woodcock 2019-04-27T01:15:53Z