salspaugh
tstat is not working!
Ok, I'll look into this one. The tstats tests seem to pass, so can you provide me a list of tstat invocations that are not working?
Like:
tstats summariesonly min(_time) as firstTime,max(_time) as lastTime from datamodel=Authentication where Authentication.app!=unknown by Authentication.app
I tried to delete different fields of tstats here to see which one caused the error. It seems that "datamodel=Authentication", "Authentication.app!=unknown", "by Authentication.app" have problems.
"datamodel" is another Splunk command, so that makes sense that it doesn't work -- that should be fixed by PR #119. I think the period character is the source of the problem for the other case. A period is a concatenation operator with the eval commands so it has to be tokenized differently for those cases (it has to cause a token break). I use this eval-compatible approach with *stats commands because I think stats can sometimes be called with eval functions? Or some of them can anyway -- can't remember exactly. But maybe this will finally cause this approach to break. This could be a really difficult fix to make -- how many queries with tstats with "." are there?
I remembered there are a lot, over 200 or something. So I thought tstat is not working. But I checked through them just now and found that period and datamodel seem to be the fields that most of them are in common.