Receiving error: Input schema does not have the field _messagetime (1)


1 comment

  • Avatar
    Kevin Keech

    The error you are seeing is the result of the order you are using the operators in your query. Once an aggregation operation is performed, in your case the avg() operation, the only fields available for further operations are those which were created with the aggregate operations, in your case "response_time_5m", all the other meta fields or fields you previously parsed (ex. response_time) are no longer available after this operation occurs. Since the timeslice operation works off of the _messagetime meta field you are receiving this error because that field is no longer available.

    What you will need to do is simply move the timeslice operation a little earlier in your query, before the aggregation. You can then perform the avg() function by each timeslice ex. "avg(value) as avg_value by _timeslice" to get the aggregate value by each 5 minute period. I assume this is the end result you are looking for.

    So using your original query the new query would look like this:


    | parse "response.time:*ms" as response_time

    | timeslice by 5m

    | avg(response_time) as response_time_5m by _timeslice

    Comment actions Permalink

Please sign in to leave a comment.