Splunk Enterprise

TsidxStats Error after Splunk v8 Upgrade

afx
Contributor

I just upgraded from 7.2.4 to 8.0.4.1

So far everything seems to be OK apart from two data models.

Web still works, but Authentication and Change(Account) both report the following error:

Error in 'TsidxStats': A field for an aggregate function is missing or invalid. Aggregate functions require fields with valid values to complete their arguments. 

This for even the simplest query, like

| tstats values from datamodel=Authentication

Unfortunately I see no further explanation or hints in the search log.

Any ideas on how to get this fixed?

thx
afx

Tags (3)
0 Karma
1 Solution

anilchaithu
Builder

@afx 

the syntax should be

| tstats values(field_name) from datamodel=authentication

The error is also pointing the same i.e. missing field name

View solution in original post

anilchaithu
Builder

@afx 

the syntax should be

| tstats values(field_name) from datamodel=authentication

The error is also pointing the same i.e. missing field name

the_wolverinie
Engager

I always wondered why that old syntax even worked.  Turns out it should NOT have worked!

0 Karma

afx
Contributor

Thanks!

interesting that this worked in v7. I always thought I had to have a values without field to get any data at all from the model.

thx
afx

 

0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...