-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tstat is not working! #125
Comments
Ok, I'll look into this one. The tstats tests seem to pass, so can you provide me a list of tstat invocations that are not working? |
Like: I tried to delete different fields of tstats here to see which one caused the error. It seems that "datamodel=Authentication", "Authentication.app!=unknown", "by Authentication.app" have problems. |
"datamodel" is another Splunk command, so that makes sense that it doesn't work -- that should be fixed by PR #119. I think the period character is the source of the problem for the other case. A period is a concatenation operator with the eval commands so it has to be tokenized differently for those cases (it has to cause a token break). I use this eval-compatible approach with *stats commands because I think stats can sometimes be called with eval functions? Or some of them can anyway -- can't remember exactly. But maybe this will finally cause this approach to break. This could be a really difficult fix to make -- how many queries with tstats with "." are there? |
I remembered there are a lot, over 200 or something. So I thought tstat is not working. But I checked through them just now and found that period and datamodel seem to be the fields that most of them are in common. |
eg.
'tstats max(time) FROM datamodel=Web'
even this simple one.
The text was updated successfully, but these errors were encountered: