The following join field(s) do not exist in the da...

Splunk Search

I've upgraded from splunk 8.0.3 to 8.2.2, and now i'm getting errors for my metrics query.

This used to work:

| mstats rate(_value) prestats=true WHERE metric_name="traffic_in" AND index="em_metrics" AND description="EDGE" AND name_cache="EDGE" span=60s BY name_cache
| timechart rate(_value) span=120s useother=false BY name_cache
| fields -_span*
| rename "EDGE" as traffic_in
| eval Gb_in=(traffic_in*8/1000/1000/1000)
| append [
| mstats rate(_value) prestats=true WHERE metric_name="traffic_out" AND index="em_metrics" AND name_cache="EDGE" span=60s BY name_cache
| timechart rate(_value) span=120s useother=false BY name_cache| fields - _span*
| rename "EDGE" as traffic_out
| eval Gb_out=(traffic_out*8/1000/1000/1000)
]
| selfjoin keepsingle=true _time| fields _time Gb_in, Gb_out

Now i get an error that says The following join field(s) do not exist in the data '_time'.

Has anything changed from 8.0.3 to 8.2.2 that could explain this?

Get Updates on the Splunk Community!

The following join field(s) do not exist in the data '_time'

join

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

The following join field(s) do not exist in the data '_time'

join

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...