Splunk Enterprise

TsidxStats Error after Splunk v8 Upgrade

afx
Contributor

I just upgraded from 7.2.4 to 8.0.4.1

So far everything seems to be OK apart from two data models.

Web still works, but Authentication and Change(Account) both report the following error:

Error in 'TsidxStats': A field for an aggregate function is missing or invalid. Aggregate functions require fields with valid values to complete their arguments. 

This for even the simplest query, like

| tstats values from datamodel=Authentication

Unfortunately I see no further explanation or hints in the search log.

Any ideas on how to get this fixed?

thx
afx

Tags (3)
0 Karma
1 Solution

anilchaithu
Builder

@afx 

the syntax should be

| tstats values(field_name) from datamodel=authentication

The error is also pointing the same i.e. missing field name

View solution in original post

anilchaithu
Builder

@afx 

the syntax should be

| tstats values(field_name) from datamodel=authentication

The error is also pointing the same i.e. missing field name

the_wolverinie
Engager

I always wondered why that old syntax even worked.  Turns out it should NOT have worked!

0 Karma

afx
Contributor

Thanks!

interesting that this worked in v7. I always thought I had to have a values without field to get any data at all from the model.

thx
afx

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...