Getting "Subquery failed with error: Field _messagetime not found, please check the spelling and try again." When attempting to use timeslice

Asked Jan 17 '22 at 10:16

Active Jan 17 '22 at 10:16

Viewed 763 times

This is my query.

_sourceCategory=contactlist-prod
[subquery:_sourceCategory=contactlist-prod "recycle"
| count by campaign | compose campaign keywords] | parse "Handling export of*contacts" as message | replace(message, /([^0-9])/, "") as contacts | count_distinct (contacts) by contacts | avg(contacts) as avgcontacts | timeslice 1m | count by _timeslice

For some reason, i'm getting this error when I try to use timeslice on my sumo query.

Subquery failed with error: Field _messagetime not found, please check the spelling and try again.

I assume this is because my subquery also needs a timeslice but I can't see a way to include a timeslice in my subquery also. Is there any way to get around this?

asked Jan 17 '22 at 10:16

Will Mannix

I faced a similar issue when I tried to use the timeslice function after an aggregate one (such as avg or sum). Doesn't it help to use the timeslice command before the aggregate functions? – Cristi Nica Aug 19 '22 at 13:23

Getting "Subquery failed with error: Field _messagetime not found, please check the spelling and try again." When attempting to use timeslice

0 Answers0