topic Re: Splunk ES query which uses datamodel and also uses custom index values in Deployment Architecture

Splunk ES query which uses datamodel and also uses custom index values

indut — Tue, 22 Sep 2020 11:44:40 GMT

Hi,

I have a requirement to use write a splunk query which uses ES based data model to better make use of the fields provided and also I want to limit my search to my custom index values.

So, for example I want to make use of Authentication.Authentication to return fields action and _time using Authentication datamodel and the index values limited to A,B,C only and I tried with a query like below and it doesn't work.

|`tstats` count from datamodel=Authentication.Authentication by _time,Authentication.action span=10m |where Authentication.index IN(index=A,B,C)|timechart minspan=10m count by Authentication.action|`drop_dm_object_name("Authentication")`

Thanks in advance!!

Re: Splunk ES query which uses datamodel and also uses custom index values

richgalloway — Tue, 22 Sep 2020 12:38:50 GMT

The syntax used for the IN operator is incorrect. Try

... |where Authentication.index IN(A,B,C)| ...

Re: Splunk ES query which uses datamodel and also uses custom index values

indut — Tue, 22 Sep 2020 23:20:36 GMT

Thank you, this works 🙂

Re: Splunk ES query which uses datamodel and also uses custom index values

indut — Wed, 23 Sep 2020 11:07:55 GMT

Hi, I thought I replied here but somehow I am unable to view my reply.

The above where condition is not working when I have 10-12 index to use inside IN(A,B,C.....K,L)

Issue 1: It says that where condition is missing closure with )" when I use more that 2 index values

Issue 2: It returns the events but it won't display the events ( I tried verbose and fast modes) but I can't see the events ( I do encounter this situation even when no syntax errors/ no error message) not sure why this situation happens, appreciate response for this condition as well.

Please advise how how I can use filter the data model to fit only to my index values