I have a query to average out the performance of requests each individual server for the last one minutes, as follows:
index=iis earliest=-1m host=group1_* OR host=group2_* | STATS avg(time_taken) as Value BY host | EVAL counter="Server Response Time" | fields + host, Value, counter
This works fine via the Splunk Web/UI but the exact same query yields no "Value" column when submitted via the SDK.
So this query returns exactly what I want/expect via Splunk web access: three columns: one for the host/server name, one for the average of the time_taken fields for that host, and one column containing the literal "Server Response Time", just so that the client code that I'm writing (via the Splunk C# SDK v2.0.0) can distinguish the results of this query from other queries.
However, I can't get the REST API to return any values for for the "Value" column. I've mimicked the code sample from the C# SDK found in root\examples\normal-search\Program.cs, using the example of the "Pull Model" code sample.
And my code works fine for other Splunk queries; just not this query with the "STATS avg(...)" clause.
Interestingly, the Splunk.Client.SearchResult object does have an entry in its .FieldNames collection named "Value", but the dynamic object itself never has a .Value property, nor can I find anything resembling the Value column I see just fine when running the same query within the Web/UI. I can however find all other columns in the dynamic object.
Additionally, I looked at the request to the REST API itself and it appears as though the "Value" field is defined differently than the other fields, "host" and "counter", but I cannot understand the reasons why.
<?xml version='1.0' encoding='UTF-8'?> <results preview='0'> <meta> <fieldOrder> <field groupby_rank="0">host</field> <field>Value</field> <field type="str">counter</field> </fieldOrder> </meta> <result offset='0'> <field k='host'> <value h='1'><text>[redacted]</text></value> </field> <field k='counter'> <value><text>Server Response Time</text></value> </field> </result> <result offset='1'> <field k='host'> <value h='1'><text>[redacted]</text></value> </field> <field k='counter'> <value><text>Server Response Time</text></value> </field> </result>
and so on.
Thank you in advance for any help!
That's a good idea to try. Unfortunately "Foo" doesn't work either, as in: index=iis earliest=-1m host=group1_* OR host=group2_** | STATS avg(time_taken) as Foo BY host | EVAL counter="Server Response Time" | fields + host, Foo, counter
My guess is that something to do with "STATS" or "avg" or the piping is preventing the field from being returned, but I haven't been able to figure out how to overcome.