Splunk Search

Splunk Datamodel tstats Error

Engager

Hi All,

I have created a datamodel "Introspection_Usage" with global permission with the following dataset as given.

Datasets

EVENTS
introspection

Disk Objects
Hostwide Resource Usage
PerProcess Resource Usage

When i edit the fields and preview the fields it works.Example field is "data.cpuuserpct" and the display name is pctcpuuser.
Base search is index=_introspection.
But when i use the below commands it does not work. It seems tstats is not able to able to do the average calculation ? i have the same issue for other fields. How do i fix the issue or am i missing something ?

| tstats avg(Introspection.data.cpuuserpct) AS CPUUSER FROM datamodel=IntrospectionUsage GROUPBY _time host

Regards

Tags (3)
0 Karma
1 Solution

Esteemed Legend

Go to Settings -> Data models -> <Your Data Model> and make a careful note of the string that is directly above the word CONSTRAINTS; let's pretend that the word is ThisWord. Then do this:

Then do this:

| tstats avg(ThisWord.data.cpu_user_pct) AS CPU_USER FROM datamodel=Introspection_Usage GROUPBY _time host

P.S. It is trashy, if not downright evil to deliberately create field names with spaces or periods ( hyphens are not quite as bad, by why not use underscores?). That may also be part of the problem.

View solution in original post

0 Karma

Esteemed Legend

Go to Settings -> Data models -> <Your Data Model> and make a careful note of the string that is directly above the word CONSTRAINTS; let's pretend that the word is ThisWord. Then do this:

Then do this:

| tstats avg(ThisWord.data.cpu_user_pct) AS CPU_USER FROM datamodel=Introspection_Usage GROUPBY _time host

P.S. It is trashy, if not downright evil to deliberately create field names with spaces or periods ( hyphens are not quite as bad, by why not use underscores?). That may also be part of the problem.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

if you run a search |from datamodel:"Introspection_Usage" are you getting any data?

0 Karma

Engager

Hi,

Yes i see data when i run below command.

|from datamodel:"Introspection_Usage"

Regards

0 Karma

SplunkTrust
SplunkTrust

we may have to troubleshoot one by one - any results for this if you run for alltime?

 | tstats count FROM datamodel=Introspection_Usage GROUPBY host _time span=15m
0 Karma

Engager

The command works - | tstats count FROM datamodel=Introspection_Usage GROUPBY host _time span=15m

Result is given below. The issue is when i use avg,values command.

host _time count
xxxxxxx 2019-04-26 15:15:00 235
aaaaaa 2019-04-26 15:30:00 750
bbbbb 2019-04-26 15:45:00 714
cccccc 2019-04-26 16:00:00 747

0 Karma