Is tstats supposed to work with fields that contai...

woodcock · ‎02-19-2019

I just discovered that indexed fields with periods in them are not tstatsable in my 7.2.1 environment. Is this a known thing? Is it a bug?

For those who would like to play along, if you have INDEXED_EXTRACTIONS = json events, then you surely have some index-time fields with periods in them. First find them:

index=foo AND sourcetype=json AND index.field.with.periods=*

Then verify that it is index-time like this (it should also return events; if not, then index.field.with.periods is not index-time).

index=foo AND sourcetype=json AND index.field.with.periods::*

Then test for fail like this:

|tstats first("index.field.with.periods") AS this_should_work_but_will_not WHERE index=foo AND sourcetype=json

chrisyounger · ‎02-19-2019

This works fine for me. Did you just forget your leading pipe in the answers question? Interestingly, using single quotes doesnt work. But no quotes or double quotes works.

woodcock · ‎02-19-2019

I edited and added the pipe. What version of Splunk (Search Head and Indexers)?

chrisyounger · ‎02-19-2019

Yes it does. ver 7.2.0

Is tstats supposed to work with fields that contain period characters?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor