Splunk Search

Splunk Datamodel tstats Error

keishamtcs
Explorer

Hi All,

I have created a datamodel "Introspection_Usage" with global permission with the following dataset as given.

Datasets

EVENTS
introspection

Disk Objects
Hostwide Resource Usage
PerProcess Resource Usage

When i edit the fields and preview the fields it works.Example field is "data.cpu_user_pct" and the display name is pct_cpu_user.
Base search is index=_introspection.
But when i use the below commands it does not work. It seems tstats is not able to able to do the average calculation ? i have the same issue for other fields. How do i fix the issue or am i missing something ?

| tstats avg(Introspection.data.cpu_user_pct) AS CPU_USER FROM datamodel=Introspection_Usage GROUPBY _time host

Regards

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Go to Settings -> Data models -> <Your Data Model> and make a careful note of the string that is directly above the word CONSTRAINTS; let's pretend that the word is ThisWord. Then do this:

Then do this:

| tstats avg(ThisWord.data.cpu_user_pct) AS CPU_USER FROM datamodel=Introspection_Usage GROUPBY _time host

P.S. It is trashy, if not downright evil to deliberately create field names with spaces or periods ( hyphens are not quite as bad, by why not use underscores?). That may also be part of the problem.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Go to Settings -> Data models -> <Your Data Model> and make a careful note of the string that is directly above the word CONSTRAINTS; let's pretend that the word is ThisWord. Then do this:

Then do this:

| tstats avg(ThisWord.data.cpu_user_pct) AS CPU_USER FROM datamodel=Introspection_Usage GROUPBY _time host

P.S. It is trashy, if not downright evil to deliberately create field names with spaces or periods ( hyphens are not quite as bad, by why not use underscores?). That may also be part of the problem.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

if you run a search |from datamodel:"Introspection_Usage" are you getting any data?

0 Karma

keishamtcs
Explorer

Hi,

Yes i see data when i run below command.

|from datamodel:"Introspection_Usage"

Regards

0 Karma

lakshman239
SplunkTrust
SplunkTrust

we may have to troubleshoot one by one - any results for this if you run for alltime?

 | tstats count FROM datamodel=Introspection_Usage GROUPBY host _time span=15m
0 Karma

keishamtcs
Explorer

The command works - | tstats count FROM datamodel=Introspection_Usage GROUPBY host _time span=15m

Result is given below. The issue is when i use avg,values command.

host _time count
xxxxxxx 2019-04-26 15:15:00 235
aaaaaa 2019-04-26 15:30:00 750
bbbbb 2019-04-26 15:45:00 714
cccccc 2019-04-26 16:00:00 747

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...