Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

"This search uses deprecated 'stats' command syntax."

mitag
Contributor
‎08-11-2020 08:55 AM

Getting this informational message when running "stats count" commands:

This search uses deprecated 'stats' command syntax. This syntax implicitly translates '<function>' or '<function>()' to '<function>(*)', except for cases where the function is 'count'. Use '<function>(*)' instead.

I don't understand it. What am I doing wrong and what should I be doing instead? A sample of the stats command generating the message above:

| stats sparkline count(Destination) AS sessions by Destination_URL, Destination_userID

Splunk info msg - Screen Shot 2020-08-11 at 8.48.55 AM.png

Thanks!

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mitag
Contributor
‎08-18-2020 05:12 PM

Turns out it's a bug - the "deprecated syntax" notification is not supposed to happen - thanks @mattness for the post!

"Turns out this particular example is a bug. Splunk 8.0.0 through 8.0.6 generates this "info message" when you use sparkline without an argument (such as sparkline(count) or sparkline(count(cpu)). This isn't supposed to happen. The bug is fixed in upcoming versions of Splunk."

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-11-2020 09:34 AM

The sparkline argument should be a function, perhaps

| stats sparkline(count(Destination)) AS sessions by Destination_URL, Destination_userID
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

mitag
Contributor
‎08-11-2020 03:54 PM

That removes the session count field though. This one:

session count - Screen Shot 2020-08-11 at 3.53.43 PM.png

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-11-2020 05:12 PM

So add it back in.

| stats sparkline(count(Destination)), count(Destination)) AS sessions by Destination_URL, Destination_userID
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

mitag
Contributor
‎08-11-2020 05:15 PM

I did. 🙂 But doesn't that means "stats" is then run twice for the same dataset, thus unnecessarily increasing the "cost" of the search? (And somewhat clogging it, making it just a teeny bit less readable?)

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-12-2020 04:54 AM
Yes, but that's the only way to get what you want.
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

mitag
Contributor
‎08-12-2020 11:21 AM

@richgalloway just in case you have the bandwidth for a follow up question...

Here is the sample search in "Add sparklines to search results" Splunk KB article for 8.0.5 (latest) release:

 

index=_internal | chart sparkline count by sourcetype

 

It produces the same dreaded "deprecated syntax" notification in my 8.04.1 instance.

Questions:

  • How would you modify this search to remove the notification yet retain both the sparkline and the "count" field?
  • Would it make sense to try asking a new question, something like "what are Splunk recommendations on using non-deprecated 'stats' command syntax that is as performant as the deprecated one?"
Tags (2)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-13-2020 06:13 AM
That command works without error on my 8.0.4 instance.
How do you know which syntax is more performant? Does the Job Inspector show a noticeable difference?
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

mitag
Contributor
‎08-13-2020 08:12 AM

That command works without error on my 8.0.4 instance.

This gives me the green "deprecated syntax" informational message in 8.04.1, 8.05:

index=_internal 
| chart sparkline count by sourcetype

How do you know which syntax is more performant? Does the Job Inspector show a noticeable difference?

About 10-20% faster for the "deprecated" one vs. the one you came up with, with two "count" functions.

| stats sparkline(count(Destination)), count(Destination))

 

0 Karma
Reply
Solved! Jump to solution
Solution

mitag
Contributor
‎08-18-2020 05:12 PM

Turns out it's a bug - the "deprecated syntax" notification is not supposed to happen - thanks @mattness for the post!

"Turns out this particular example is a bug. Splunk 8.0.0 through 8.0.6 generates this "info message" when you use sparkline without an argument (such as sparkline(count) or sparkline(count(cpu)). This isn't supposed to happen. The bug is fixed in upcoming versions of Splunk."

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-13-2020 11:04 AM
As they say, you can't have your cake and eat it, too. Either use the deprecated syntax (which could be supported indefinitely for all we know) or use the new syntax and suffer the (minimal) performance implications.
Oh, and submit feedback on the docs page that uses that syntax so they can correct it.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-12-2020 12:53 PM


index=_internal | chart sparkline count by sourcetype

https://docs.splunk.com/Documentation/Splunk/8.0.5/Search/Addsparklinestosearchresults

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

mitag
Contributor
‎08-12-2020 01:11 PM

Typo on my part (grabbed the wrong SPL from the docs). Corrected. The solution you're proposing is the one with the problem and the one I have questions about.

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...