topic Re: Unable to use tstats against child dataset in a datamodel in Splunk Enterprise Security

Unable to use tstats against child dataset in a datamodel

harishbenne2 — Sun, 07 Jun 2020 16:32:20 GMT

Hi guys,

I am unable to run tstats command against the sub-dataset in a datamodel. Whenever I try to, it throws below error:

Error in 'DataModelCache': Invalid or unaccelerable root object for datamodel

I am not even using the summariesonly in my query for the Datamodels to be accelerated. (Its accelerated though..!!).

| from datamodel:Intrusion_Detection.Network_IDS_Attacks | stats count

Above query gives me right answer, however when I use tstats like in below query, it all goes haywire.

| tstats count from datamodel=Intrusion_Detection.Network_IDS_Attacks

Could someone point out to me what is it I'm doing wrong?

Re: Unable to use tstats against child dataset in a datamodel

richgalloway — Fri, 17 Apr 2020 14:50:28 GMT

Use nodename. This option is buried in the tstats docs.

| tstats count from datamodel=Intrusion_Detection where nodename=Intrusion_Detection.Network_IDS_Attacks

Re: Unable to use tstats against child dataset in a datamodel

kprior201_lilly — Thu, 23 Apr 2020 18:27:49 GMT

So, I've noticed that this does not work for the Endpoint datamodel. For Endpoint, it has to be datamodel=Endpoint. without a nodename. It seems to be the only datamodel that this is occurring for at this time. Is this an issue that you've come across?

Re: Unable to use tstats against child dataset in a datamodel

richgalloway — Mon, 27 Apr 2020 12:15:36 GMT

Yes, I've seen that, too.

Re: Unable to use tstats against child dataset in a datamodel

harishbenne2 — Tue, 05 May 2020 19:35:26 GMT

But I see it on all the datamodels when I try to work with the child datasets. the nodename works to an extent, but not completely.

I do not know why it doesn't work anymore.

Re: Unable to use tstats against child dataset in a datamodel

kprior201_lilly — Wed, 06 May 2020 13:44:27 GMT

I have a support ticket open about this, and below is the latest update. Basically, there is a discrepancy between the way tstats works with the different combinations of events/search definitions in data models. Splunk has a JIRA ticket open to address this discrepancy, but no resolution is defined as of yet.

"As we discuss with my colleague as well the tstats searches against accelerated DMs relying on a Root Search Dataset, but part of a Mixed Model (which means that it contains at least also one Root Event Dataset will always fail regardless if the constraint search is or is NOT a streaming search, as this is currently not supported.
Basically this is what happens on our case and the SPL ticket states.

Here is the SPL ticket in case you want to verify SPL-167885.

As we saw other option to add using in the search are using the "| datamodel" or the "| from" command.
https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Datamodel
https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/From "