topic Re: Calculated Data Model Field Value Inaccessible in Knowledge Management

Calculated Data Model Field Value Inaccessible

joeldavideng — Tue, 29 Sep 2020 17:22:03 GMT

I created a data model called "Process_Creation" with a calculated field that represents the length of a specific string in the modeled events called "command_line_length". I can display the correct values for each event using a table command with "Process_Creation.command_line_length", however that seems to be all I can do with the data model field. When I attempt to compare the value to any numerical value I get zero results no matter the comparison type.

The calculated field is stored as a number and the values are correct so I suspect the "where" command is not referencing the actual stored value. Any ideas?

| datamodel Process_Monitoring Process_Creation search | eval threshold = [ | search index=summary "search_name=pm_command_line_length_stats" earliest=-90d@d latest=-1d@d | stats avg(command_line_length) AS command_line_average stdev(command_line_length) AS command_line_stdev | eval threshold = round(command_line_average + ( command_line_stdev * 6 )) | return $threshold ] | where Process_Creation.command_line_length > threshold

Re: Calculated Data Model Field Value Inaccessible

harsmarvania57 — Tue, 26 Dec 2017 05:37:44 GMT

Hi @joeldavideng,

To start diagnose the issue first try to search | datamodel Process_Monitoring Process_Creation search | where Process_Creation.command_line_length > 0 are you getting any result ?

Re: Calculated Data Model Field Value Inaccessible

joeldavideng — Tue, 26 Dec 2017 22:45:44 GMT

Performing that query threw a type error "Typechecking failed. The '>' operator received different types" which would indicate that the value is stored as the wrong type. I checked the data model and that field is explicitly set as a number. Is there an implicit cast when you reference the data model?

Re: Calculated Data Model Field Value Inaccessible

joeldavideng — Tue, 29 Sep 2020 17:22:17 GMT

I randomly decided to try adding some $'s to the field to see if I could extract the value of the field and it worked.

| datamodel Process_Monitoring Process_Creation search | where $Process_Creation.command_line_length$ > 100

I guess the calculated fields in a data model behave differently than adhoc fields calculated at search time in a query.

Re: Calculated Data Model Field Value Inaccessible

joeldavideng — Tue, 26 Dec 2017 23:21:54 GMT

For anyone else with the same problem, it appears that doing comparisons against the actual value of a data model field requires you to use enclosing $s to get the value rather than the variable reference.

Re: Calculated Data Model Field Value Inaccessible

niketn — Wed, 27 Dec 2017 03:14:33 GMT

@joeldavideng, can you add the final query that worked for you in your answer as well?

Re: Calculated Data Model Field Value Inaccessible

joeldavideng — Tue, 29 Sep 2020 17:22:32 GMT

Sure thing, it was very close to the original.