Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

The following join field(s) do not exist in the data '_time'

Sparky1
Explorer
‎11-15-2021 12:09 PM

 I've upgraded from splunk 8.0.3 to 8.2.2, and now i'm getting errors for my metrics query.

This used to work:

| mstats rate(_value) prestats=true WHERE metric_name="traffic_in" AND index="em_metrics" AND description="EDGE" AND name_cache="EDGE" span=60s BY name_cache
| timechart rate(_value) span=120s useother=false BY name_cache
| fields -_span*
| rename "EDGE" as traffic_in
| eval Gb_in=(traffic_in*8/1000/1000/1000)
| append [
| mstats rate(_value) prestats=true WHERE metric_name="traffic_out" AND index="em_metrics" AND name_cache="EDGE" span=60s BY name_cache
| timechart rate(_value) span=120s useother=false BY name_cache| fields - _span*
| rename "EDGE" as traffic_out
| eval Gb_out=(traffic_out*8/1000/1000/1000)
]
| selfjoin keepsingle=true _time| fields _time Gb_in, Gb_out

Now i get an error that says The following join field(s) do not exist in the data '_time'. 

Has anything changed from 8.0.3 to 8.2.2 that could explain this?

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...