Splunk Search

Splunk Datamodel tstats Error

keishamtcs
Explorer

Hi All,

I have created a datamodel "Introspection_Usage" with global permission with the following dataset as given.

Datasets

EVENTS
introspection

Disk Objects
Hostwide Resource Usage
PerProcess Resource Usage

When i edit the fields and preview the fields it works.Example field is "data.cpu_user_pct" and the display name is pct_cpu_user.
Base search is index=_introspection.
But when i use the below commands it does not work. It seems tstats is not able to able to do the average calculation ? i have the same issue for other fields. How do i fix the issue or am i missing something ?

| tstats avg(Introspection.data.cpu_user_pct) AS CPU_USER FROM datamodel=Introspection_Usage GROUPBY _time host

Regards

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

Go to Settings -> Data models -> <Your Data Model> and make a careful note of the string that is directly above the word CONSTRAINTS; let's pretend that the word is ThisWord. Then do this:

Then do this:

| tstats avg(ThisWord.data.cpu_user_pct) AS CPU_USER FROM datamodel=Introspection_Usage GROUPBY _time host

P.S. It is trashy, if not downright evil to deliberately create field names with spaces or periods ( hyphens are not quite as bad, by why not use underscores?). That may also be part of the problem.

View solution in original post

0 Karma

woodcock
Esteemed Legend

Go to Settings -> Data models -> <Your Data Model> and make a careful note of the string that is directly above the word CONSTRAINTS; let's pretend that the word is ThisWord. Then do this:

Then do this:

| tstats avg(ThisWord.data.cpu_user_pct) AS CPU_USER FROM datamodel=Introspection_Usage GROUPBY _time host

P.S. It is trashy, if not downright evil to deliberately create field names with spaces or periods ( hyphens are not quite as bad, by why not use underscores?). That may also be part of the problem.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

if you run a search |from datamodel:"Introspection_Usage" are you getting any data?

0 Karma

keishamtcs
Explorer

Hi,

Yes i see data when i run below command.

|from datamodel:"Introspection_Usage"

Regards

0 Karma

lakshman239
SplunkTrust
SplunkTrust

we may have to troubleshoot one by one - any results for this if you run for alltime?

 | tstats count FROM datamodel=Introspection_Usage GROUPBY host _time span=15m
0 Karma

keishamtcs
Explorer

The command works - | tstats count FROM datamodel=Introspection_Usage GROUPBY host _time span=15m

Result is given below. The issue is when i use avg,values command.

host _time count
xxxxxxx 2019-04-26 15:15:00 235
aaaaaa 2019-04-26 15:30:00 750
bbbbb 2019-04-26 15:45:00 714
cccccc 2019-04-26 16:00:00 747

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...