Splunk Enterprise

TsidxStats Error after Splunk v8 Upgrade

afx
Contributor

I just upgraded from 7.2.4 to 8.0.4.1

So far everything seems to be OK apart from two data models.

Web still works, but Authentication and Change(Account) both report the following error:

Error in 'TsidxStats': A field for an aggregate function is missing or invalid. Aggregate functions require fields with valid values to complete their arguments. 

This for even the simplest query, like

| tstats values from datamodel=Authentication

Unfortunately I see no further explanation or hints in the search log.

Any ideas on how to get this fixed?

thx
afx

Tags (3)
0 Karma
1 Solution

anilchaithu
Builder

@afx 

the syntax should be

| tstats values(field_name) from datamodel=authentication

The error is also pointing the same i.e. missing field name

View solution in original post

anilchaithu
Builder

@afx 

the syntax should be

| tstats values(field_name) from datamodel=authentication

The error is also pointing the same i.e. missing field name

the_wolverinie
Engager

I always wondered why that old syntax even worked.  Turns out it should NOT have worked!

0 Karma

afx
Contributor

Thanks!

interesting that this worked in v7. I always thought I had to have a values without field to get any data at all from the model.

thx
afx

 

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...