Solved: TsidxStats Error after Splunk v8 Upgrade

afx · ‎07-06-2020

I just upgraded from 7.2.4 to 8.0.4.1

So far everything seems to be OK apart from two data models.

Web still works, but Authentication and Change(Account) both report the following error:

Error in 'TsidxStats': A field for an aggregate function is missing or invalid. Aggregate functions require fields with valid values to complete their arguments.

This for even the simplest query, like

| tstats values from datamodel=Authentication

Unfortunately I see no further explanation or hints in the search log.

Any ideas on how to get this fixed?

thx
afx

anilchaithu · ‎07-06-2020

@afx

the syntax should be

| tstats values(field_name) from datamodel=authentication

The error is also pointing the same i.e. missing field name

View solution in original post

anilchaithu · ‎07-06-2020

@afx

the syntax should be

| tstats values(field_name) from datamodel=authentication

The error is also pointing the same i.e. missing field name

the_wolverinie · ‎10-13-2021

I always wondered why that old syntax even worked. Turns out it should NOT have worked!

afx · ‎07-06-2020

Thanks!

interesting that this worked in v7. I always thought I had to have a values without field to get any data at all from the model.

thx
afx

TsidxStats Error after Splunk v8 Upgrade

troubleshooting

upgrade

using Splunk Enterprise

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation