This syntax ..
| stats sum(transmitted_MB) AS transmitted_total_MB, sum(received_MB) AS received_total_MB, count earliest(_time) AS et count latest(_time) AS lt BY username, src, url, http_method, http_user_agent, filter_category
works fine on our Live environment which is 6.1.1 SPLUNK enterprise.
We are upgrading and migrating to a 6.4.2 environment using HUNK to a HADOOP back end. The same syntax (literally cut and pasted over) throws the following error.
Error in 'stats' command: 1 duplicate rename field(s). Original renames: [transmitted_total_MB received_total_MB count et count lt]. Duplicate renames: [count].
Has anyone seen something similar?
Can you validate if this works when you use Splunk 6.4.2 instead of Hunk 6.4.2?