tstat is not working!

Question

tstat is not working!

keroro824 opened this issue 10 years ago · 4 comments

eg.

'tstats max(time) FROM datamodel=Web'

even this simple one.

Answer 1 · 2014-04-15T18:57:10.000Z

Ok, I'll look into this one. The tstats tests seem to pass, so can you provide me a list of tstat invocations that are not working?

Answer 2 · 2014-04-15T19:28:46.000Z

Like:
tstats summariesonly min(_time) as firstTime,max(_time) as lastTime from datamodel=Authentication where Authentication.app!=unknown by Authentication.app

I tried to delete different fields of tstats here to see which one caused the error. It seems that "datamodel=Authentication", "Authentication.app!=unknown", "by Authentication.app" have problems.

Answer 3 · 2014-04-15T19:35:03.000Z

"datamodel" is another Splunk command, so that makes sense that it doesn't work -- that should be fixed by PR #119. I think the period character is the source of the problem for the other case. A period is a concatenation operator with the eval commands so it has to be tokenized differently for those cases (it has to cause a token break). I use this eval-compatible approach with *stats commands because I think stats can sometimes be called with eval functions? Or some of them can anyway -- can't remember exactly. But maybe this will finally cause this approach to break. This could be a really difficult fix to make -- how many queries with tstats with "." are there?

Answer 4 · 2014-04-15T19:42:27.000Z

I remembered there are a lot, over 200 or something. So I thought tstat is not working. But I checked through them just now and found that period and datamodel seem to be the fields that most of them are in common.