- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk Datamodel tstats Error
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I have created a datamodel "Introspection_Usage" with global permission with the following dataset as given.
Datasets
EVENTS
introspection
Disk Objects
Hostwide Resource Usage
PerProcess Resource Usage
When i edit the fields and preview the fields it works.Example field is "data.cpu_user_pct" and the display name is pct_cpu_user.
Base search is index=_introspection.
But when i use the below commands it does not work. It seems tstats is not able to able to do the average calculation ? i have the same issue for other fields. How do i fix the issue or am i missing something ?
| tstats avg(Introspection.data.cpu_user_pct) AS CPU_USER FROM datamodel=Introspection_Usage GROUPBY _time host
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Go to Settings -> Data models -> <Your Data Model> and make a careful note of the string that is directly above the word CONSTRAINTS; let's pretend that the word is ThisWord. Then do this:
Then do this:
| tstats avg(ThisWord.data.cpu_user_pct) AS CPU_USER FROM datamodel=Introspection_Usage GROUPBY _time host
P.S. It is trashy, if not downright evil to deliberately create field names with spaces or periods ( hyphens are not quite as bad, by why not use underscores?). That may also be part of the problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Go to Settings -> Data models -> <Your Data Model> and make a careful note of the string that is directly above the word CONSTRAINTS; let's pretend that the word is ThisWord. Then do this:
Then do this:
| tstats avg(ThisWord.data.cpu_user_pct) AS CPU_USER FROM datamodel=Introspection_Usage GROUPBY _time host
P.S. It is trashy, if not downright evil to deliberately create field names with spaces or periods ( hyphens are not quite as bad, by why not use underscores?). That may also be part of the problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you run a search |from datamodel:"Introspection_Usage" are you getting any data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Yes i see data when i run below command.
|from datamodel:"Introspection_Usage"
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we may have to troubleshoot one by one - any results for this if you run for alltime?
| tstats count FROM datamodel=Introspection_Usage GROUPBY host _time span=15m
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The command works - | tstats count FROM datamodel=Introspection_Usage GROUPBY host _time span=15m
Result is given below. The issue is when i use avg,values command.
host _time count
xxxxxxx 2019-04-26 15:15:00 235
aaaaaa 2019-04-26 15:30:00 750
bbbbb 2019-04-26 15:45:00 714
cccccc 2019-04-26 16:00:00 747
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
