Splunk Search

"This search uses deprecated 'stats' command syntax."

mitag
Contributor

Getting this informational message when running "stats count" commands:

This search uses deprecated 'stats' command syntax. This syntax implicitly translates '<function>' or '<function>()' to '<function>(*)', except for cases where the function is 'count'. Use '<function>(*)' instead.

I don't understand it. What am I doing wrong and what should I be doing instead? A sample of the stats command generating the message above:

| stats sparkline count(Destination) AS sessions by Destination_URL, Destination_userID

Splunk info msg - Screen Shot 2020-08-11 at 8.48.55 AM.png

Thanks!

Labels (1)
Tags (3)
0 Karma
1 Solution

mitag
Contributor

Turns out it's a bug - the "deprecated syntax" notification is not supposed to happen - thanks @mattness for the post!

"Turns out this particular example is a bug. Splunk 8.0.0 through 8.0.6 generates this "info message" when you use sparkline without an argument (such as sparkline(count) or sparkline(count(cpu)). This isn't supposed to happen. The bug is fixed in upcoming versions of Splunk."

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The sparkline argument should be a function, perhaps

| stats sparkline(count(Destination)) AS sessions by Destination_URL, Destination_userID
---
If this reply helps you, Karma would be appreciated.

mitag
Contributor

That removes the session count field though. This one:

session count - Screen Shot 2020-08-11 at 3.53.43 PM.png

0 Karma

richgalloway
SplunkTrust
SplunkTrust

So add it back in.

| stats sparkline(count(Destination)), count(Destination)) AS sessions by Destination_URL, Destination_userID
---
If this reply helps you, Karma would be appreciated.

mitag
Contributor

I did. 🙂 But doesn't that means "stats" is then run twice for the same dataset, thus unnecessarily increasing the "cost" of the search? (And somewhat clogging it, making it just a teeny bit less readable?)

0 Karma

richgalloway
SplunkTrust
SplunkTrust
Yes, but that's the only way to get what you want.
---
If this reply helps you, Karma would be appreciated.

mitag
Contributor

@richgalloway just in case you have the bandwidth for a follow up question...

Here is the sample search in "Add sparklines to search results" Splunk KB article for 8.0.5 (latest) release:

 

index=_internal | chart sparkline count by sourcetype

 

It produces the same dreaded "deprecated syntax" notification in my 8.04.1 instance.

Questions:

  • How would you modify this search to remove the notification yet retain both the sparkline and the "count" field?
  • Would it make sense to try asking a new question, something like "what are Splunk recommendations on using non-deprecated 'stats' command syntax that is as performant as the deprecated one?"
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust
That command works without error on my 8.0.4 instance.
How do you know which syntax is more performant? Does the Job Inspector show a noticeable difference?
---
If this reply helps you, Karma would be appreciated.
0 Karma

mitag
Contributor

That command works without error on my 8.0.4 instance.

This gives me the green "deprecated syntax" informational message in 8.04.1, 8.05:

index=_internal 
| chart sparkline count by sourcetype

How do you know which syntax is more performant? Does the Job Inspector show a noticeable difference?

About 10-20% faster for the "deprecated" one vs. the one you came up with, with two "count" functions.

| stats sparkline(count(Destination)), count(Destination))

 

0 Karma

mitag
Contributor

Turns out it's a bug - the "deprecated syntax" notification is not supposed to happen - thanks @mattness for the post!

"Turns out this particular example is a bug. Splunk 8.0.0 through 8.0.6 generates this "info message" when you use sparkline without an argument (such as sparkline(count) or sparkline(count(cpu)). This isn't supposed to happen. The bug is fixed in upcoming versions of Splunk."

0 Karma

richgalloway
SplunkTrust
SplunkTrust
As they say, you can't have your cake and eat it, too. Either use the deprecated syntax (which could be supported indefinitely for all we know) or use the new syntax and suffer the (minimal) performance implications.
Oh, and submit feedback on the docs page that uses that syntax so they can correct it.
---
If this reply helps you, Karma would be appreciated.
0 Karma

thambisetty
Super Champion


index=_internal | chart sparkline count by sourcetype

https://docs.splunk.com/Documentation/Splunk/8.0.5/Search/Addsparklinestosearchresults

————————————
If this helps, give a like below.
0 Karma

mitag
Contributor

Typo on my part (grabbed the wrong SPL from the docs). Corrected. The solution you're proposing is the one with the problem and the one I have questions about.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...