Splunk Search

"This search uses deprecated 'stats' command syntax."

mitag
Contributor

Getting this informational message when running "stats count" commands:

This search uses deprecated 'stats' command syntax. This syntax implicitly translates '<function>' or '<function>()' to '<function>(*)', except for cases where the function is 'count'. Use '<function>(*)' instead.

I don't understand it. What am I doing wrong and what should I be doing instead? A sample of the stats command generating the message above:

| stats sparkline count(Destination) AS sessions by Destination_URL, Destination_userID

Splunk info msg - Screen Shot 2020-08-11 at 8.48.55 AM.png

Thanks!

Labels (1)
Tags (3)
0 Karma
1 Solution

mitag
Contributor

Turns out it's a bug - the "deprecated syntax" notification is not supposed to happen - thanks @mattness for the post!

"Turns out this particular example is a bug. Splunk 8.0.0 through 8.0.6 generates this "info message" when you use sparkline without an argument (such as sparkline(count) or sparkline(count(cpu)). This isn't supposed to happen. The bug is fixed in upcoming versions of Splunk."

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The sparkline argument should be a function, perhaps

| stats sparkline(count(Destination)) AS sessions by Destination_URL, Destination_userID
---
If this reply helps you, Karma would be appreciated.

mitag
Contributor

That removes the session count field though. This one:

session count - Screen Shot 2020-08-11 at 3.53.43 PM.png

0 Karma

richgalloway
SplunkTrust
SplunkTrust

So add it back in.

| stats sparkline(count(Destination)), count(Destination)) AS sessions by Destination_URL, Destination_userID
---
If this reply helps you, Karma would be appreciated.

mitag
Contributor

I did. 🙂 But doesn't that means "stats" is then run twice for the same dataset, thus unnecessarily increasing the "cost" of the search? (And somewhat clogging it, making it just a teeny bit less readable?)

0 Karma

richgalloway
SplunkTrust
SplunkTrust
Yes, but that's the only way to get what you want.
---
If this reply helps you, Karma would be appreciated.

mitag
Contributor

@richgalloway just in case you have the bandwidth for a follow up question...

Here is the sample search in "Add sparklines to search results" Splunk KB article for 8.0.5 (latest) release:

 

index=_internal | chart sparkline count by sourcetype

 

It produces the same dreaded "deprecated syntax" notification in my 8.04.1 instance.

Questions:

  • How would you modify this search to remove the notification yet retain both the sparkline and the "count" field?
  • Would it make sense to try asking a new question, something like "what are Splunk recommendations on using non-deprecated 'stats' command syntax that is as performant as the deprecated one?"
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust
That command works without error on my 8.0.4 instance.
How do you know which syntax is more performant? Does the Job Inspector show a noticeable difference?
---
If this reply helps you, Karma would be appreciated.
0 Karma

mitag
Contributor

That command works without error on my 8.0.4 instance.

This gives me the green "deprecated syntax" informational message in 8.04.1, 8.05:

index=_internal 
| chart sparkline count by sourcetype

How do you know which syntax is more performant? Does the Job Inspector show a noticeable difference?

About 10-20% faster for the "deprecated" one vs. the one you came up with, with two "count" functions.

| stats sparkline(count(Destination)), count(Destination))

 

0 Karma

mitag
Contributor

Turns out it's a bug - the "deprecated syntax" notification is not supposed to happen - thanks @mattness for the post!

"Turns out this particular example is a bug. Splunk 8.0.0 through 8.0.6 generates this "info message" when you use sparkline without an argument (such as sparkline(count) or sparkline(count(cpu)). This isn't supposed to happen. The bug is fixed in upcoming versions of Splunk."

0 Karma

richgalloway
SplunkTrust
SplunkTrust
As they say, you can't have your cake and eat it, too. Either use the deprecated syntax (which could be supported indefinitely for all we know) or use the new syntax and suffer the (minimal) performance implications.
Oh, and submit feedback on the docs page that uses that syntax so they can correct it.
---
If this reply helps you, Karma would be appreciated.
0 Karma

thambisetty
SplunkTrust
SplunkTrust


index=_internal | chart sparkline count by sourcetype

https://docs.splunk.com/Documentation/Splunk/8.0.5/Search/Addsparklinestosearchresults

————————————
If this helps, give a like below.
0 Karma

mitag
Contributor

Typo on my part (grabbed the wrong SPL from the docs). Corrected. The solution you're proposing is the one with the problem and the one I have questions about.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...