Solved: Re: TsidxStats Error after Splunk v8 Upgrade

afx · ‎07-06-2020

I just upgraded from 7.2.4 to 8.0.4.1

So far everything seems to be OK apart from two data models.

Web still works, but Authentication and Change(Account) both report the following error:

Error in 'TsidxStats': A field for an aggregate function is missing or invalid. Aggregate functions require fields with valid values to complete their arguments.

This for even the simplest query, like

| tstats values from datamodel=Authentication

Unfortunately I see no further explanation or hints in the search log.

Any ideas on how to get this fixed?

thx
afx

anilchaithu · ‎07-06-2020

@afx

the syntax should be

| tstats values(field_name) from datamodel=authentication

The error is also pointing the same i.e. missing field name

View solution in original post

anilchaithu · ‎07-06-2020

@afx

the syntax should be

| tstats values(field_name) from datamodel=authentication

The error is also pointing the same i.e. missing field name

the_wolverinie · ‎10-13-2021

I always wondered why that old syntax even worked. Turns out it should NOT have worked!

afx · ‎07-06-2020

Thanks!

interesting that this worked in v7. I always thought I had to have a values without field to get any data at all from the model.

thx
afx

TsidxStats Error after Splunk v8 Upgrade

troubleshooting

upgrade

using Splunk Enterprise

Enterprise Security Content Update (ESCU) | New Releases

Index This | Divide 100 by half. What do you get?

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!