Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

stats average function suddenly blank

jericksonpf
Path Finder
‎01-02-2013 10:55 AM

Hi,
I have been running a stats query for months on a very basic search to great success. I recently had to change how the field extractions that I pull from the logs look. To do this I used the manager and deleted the old extraction and created a new one with the exact same name. Since then
all the other stats functions work fine, but average comes up blank. Average works fine for other event types and searches. I have tried restarting the box and clearing my browser cache. Did i irrevocably destroy averages for this sourcetype?

This is the search i use
sourcetype="Example" | stats min(example_time), max(example_time), count(example_method), avg(example_time) by example_method

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-02-2013 12:58 PM

Using Verbose mode in Splunk 5.0, or with Field Discovery ON in earlier versions, do you see the fields example_time and example_method in the gray fields box? What is the letter next to the name of the fields - "a" or "#"? If it is an "a", then Splunk thinks the field is alphanumeric. You might check the values, perhaps your new extraction is picking up non-numeric characters.

Other ideas:

Are you sure the name is exactly the same? Field names are case sensitive.

Also, are the permissions on the new field extractions the same as the old field extractions?

Are the new field extractions in the same app as the old field extractions?

Apologies if you have checked these things already...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-02-2013 12:58 PM

Using Verbose mode in Splunk 5.0, or with Field Discovery ON in earlier versions, do you see the fields example_time and example_method in the gray fields box? What is the letter next to the name of the fields - "a" or "#"? If it is an "a", then Splunk thinks the field is alphanumeric. You might check the values, perhaps your new extraction is picking up non-numeric characters.

Other ideas:

Are you sure the name is exactly the same? Field names are case sensitive.

Also, are the permissions on the new field extractions the same as the old field extractions?

Are the new field extractions in the same app as the old field extractions?

Apologies if you have checked these things already...

0 Karma
Reply
Solved! Jump to solution

jericksonpf
Path Finder
‎01-02-2013 02:02 PM

i just re created the example_time field and realized that it was grabbing the ms at the end of the values that are included in the logs now it is working again.

Thanks for your help

0 Karma
Reply
Solved! Jump to solution

jericksonpf
Path Finder
‎01-02-2013 01:57 PM

There is a # next to the name of the fields. The permissions and names are all the same.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top