- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- stats average function suddenly blank
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have been running a stats query for months on a very basic search to great success. I recently had to change how the field extractions that I pull from the logs look. To do this I used the manager and deleted the old extraction and created a new one with the exact same name. Since then
all the other stats functions work fine, but average comes up blank. Average works fine for other event types and searches. I have tried restarting the box and clearing my browser cache. Did i irrevocably destroy averages for this sourcetype?
This is the search i use
sourcetype="Example" | stats min(example_time), max(example_time), count(example_method), avg(example_time) by example_method
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using Verbose mode in Splunk 5.0, or with Field Discovery ON in earlier versions, do you see the fields example_time and example_method in the gray fields box? What is the letter next to the name of the fields - "a" or "#"? If it is an "a", then Splunk thinks the field is alphanumeric. You might check the values, perhaps your new extraction is picking up non-numeric characters.
Other ideas:
Are you sure the name is exactly the same? Field names are case sensitive.
Also, are the permissions on the new field extractions the same as the old field extractions?
Are the new field extractions in the same app as the old field extractions?
Apologies if you have checked these things already...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using Verbose mode in Splunk 5.0, or with Field Discovery ON in earlier versions, do you see the fields example_time and example_method in the gray fields box? What is the letter next to the name of the fields - "a" or "#"? If it is an "a", then Splunk thinks the field is alphanumeric. You might check the values, perhaps your new extraction is picking up non-numeric characters.
Other ideas:
Are you sure the name is exactly the same? Field names are case sensitive.
Also, are the permissions on the new field extractions the same as the old field extractions?
Are the new field extractions in the same app as the old field extractions?
Apologies if you have checked these things already...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i just re created the example_time field and realized that it was grabbing the ms at the end of the values that are included in the logs now it is working again.
Thanks for your help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a # next to the name of the fields. The permissions and names are all the same.
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
