Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

stats average function suddenly blank

jericksonpf
Path Finder
‎01-02-2013 10:55 AM

Hi,
I have been running a stats query for months on a very basic search to great success. I recently had to change how the field extractions that I pull from the logs look. To do this I used the manager and deleted the old extraction and created a new one with the exact same name. Since then
all the other stats functions work fine, but average comes up blank. Average works fine for other event types and searches. I have tried restarting the box and clearing my browser cache. Did i irrevocably destroy averages for this sourcetype?

This is the search i use
sourcetype="Example" | stats min(example_time), max(example_time), count(example_method), avg(example_time) by example_method

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-02-2013 12:58 PM

Using Verbose mode in Splunk 5.0, or with Field Discovery ON in earlier versions, do you see the fields example_time and example_method in the gray fields box? What is the letter next to the name of the fields - "a" or "#"? If it is an "a", then Splunk thinks the field is alphanumeric. You might check the values, perhaps your new extraction is picking up non-numeric characters.

Other ideas:

Are you sure the name is exactly the same? Field names are case sensitive.

Also, are the permissions on the new field extractions the same as the old field extractions?

Are the new field extractions in the same app as the old field extractions?

Apologies if you have checked these things already...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-02-2013 12:58 PM

Using Verbose mode in Splunk 5.0, or with Field Discovery ON in earlier versions, do you see the fields example_time and example_method in the gray fields box? What is the letter next to the name of the fields - "a" or "#"? If it is an "a", then Splunk thinks the field is alphanumeric. You might check the values, perhaps your new extraction is picking up non-numeric characters.

Other ideas:

Are you sure the name is exactly the same? Field names are case sensitive.

Also, are the permissions on the new field extractions the same as the old field extractions?

Are the new field extractions in the same app as the old field extractions?

Apologies if you have checked these things already...

0 Karma
Reply
Solved! Jump to solution

jericksonpf
Path Finder
‎01-02-2013 02:02 PM

i just re created the example_time field and realized that it was grabbing the ms at the end of the values that are included in the logs now it is working again.

Thanks for your help

0 Karma
Reply
Solved! Jump to solution

jericksonpf
Path Finder
‎01-02-2013 01:57 PM

There is a # next to the name of the fields. The permissions and names are all the same.

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...