Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search query issue on cluster environment

AKG1_old1
Builder
‎11-30-2020 06:51 AM

Hello,

I am running a search query on search head and getting below errors. When I am running same query in another environment (single node installation) its working fine.  Is there a way to fix this query. 

Both machines are indexers 

  • [hp924srv] Field 'x' does not exist in the data.
  • [hp925srv] Field 'x' does not exist in the data.

Query:

 

 

| tstats summariesonly=false  avg(All_TPS_Logs.duration) AS average, count(All_TPS_Logs.duration) AS count, stdev(All_TPS_Logs.duration) AS stdev, median(All_TPS_Logs.duration) AS median, exactperc75(All_TPS_Logs.duration) AS perc75, exactperc95(All_TPS_Logs.duration) AS perc95, exactperc99.5(All_TPS_Logs.duration) AS perc99.5, min(All_TPS_Logs.duration) AS min, max(All_TPS_Logs.duration) AS max,earliest(_time) as start, latest(_time) as stop 
FROM datamodel=TPS_V7 
WHERE (nodename=All_TPS_Logs host=AMBER_PSC47 All_TPS_Logs.duration <= 1000000000000 All_TPS_Logs.duration >= -10000000 (All_TPS_Logs.user=* OR NOT All_TPS_Logs.user=*) All_TPS_Logs.operationIdentity="*") NOT All_TPS_Logs.overflow=true 
GROUPBY All_TPS_Logs.fullyQualifiedMethod 
| rename All_TPS_Logs.fullyQualifiedMethod as fullyQualifiedMethod  
|eval time_slice_per_min = (stop-start)/60 
| eval Throughput_per_minute=count/time_slice_per_min 
| eval Throughput_per_second=count/(stop-start)
| append [ tstats summariesonly=false avg(All_TPS_Logs.duration) AS average, count(All_TPS_Logs.duration) AS count, stdev(All_TPS_Logs.duration) AS stdev, median(All_TPS_Logs.duration) AS median , exactperc75(All_TPS_Logs.duration) AS perc75 , exactperc95(All_TPS_Logs.duration) AS perc95, exactperc99.5(All_TPS_Logs.duration) AS perc99.5, min(All_TPS_Logs.duration) AS min, max(All_TPS_Logs.duration) AS max,earliest(_time) as start, latest(_time) as stop 
FROM datamodel=TPS_V7 
WHERE (nodename=All_TPS_Logs host=AMBER_PSC47 All_TPS_Logs.duration <= 1000000000000 All_TPS_Logs.duration >= -10000000 All_TPS_Logs.overflow=true (All_TPS_Logs.user=* OR NOT All_TPS_Logs.user=*) All_TPS_Logs.operationIdentity="*" ) 
GROUPBY All_TPS_Logs.fullyQualifiedMethod 
| rename All_TPS_Logs.fullyQualifiedMethod  as fullyQualifiedMethod 
|eval fullyQualifiedMethod = fullyQualifiedMethod." (overflow)" 
| eval time_slice_per_min = (stop-start)/60 
| eval Throughput_per_minute= count/time_slice_per_min
| eval Throughput_per_second=count/(stop-start) ] 
| eval average = round(average, 1) 
| eval stdev = round(stdev, 1) 
| sort - average

 

 

 

 

2020-11-30 14_44_20-Search _ Splunk 8.1.0.png

 

 

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...