https://community.splunk.com/t5/Reporting/Accelerated-data-model-and-indextime-field/m-p/462820#M7449 <P>@simpkins1958 did you ever get this to work? I am currently running into the same problem. </P> Fri, 24 Jan 2020 20:09:38 GMT ninjaunicorn101 2020-01-24T20:09:38Z https://community.splunk.com/t5/Reporting/Accelerated-data-model-and-indextime-field/m-p/462817#M7446 <P>We have an accelerated data model and would like to be able to use a where clause from TSTATS that includes:</P> <P>_index_earliest=-h@h AND _index_latest=@h</P> <P>_indextime does seem to be a field that is available in the DMA. But trying to use the where clause above does not work.</P> <P>We want to generate TSTATS values for events that have been indexed in the previous hour.</P> <P>Here is the full SPL:<BR /> | tstats <BR /> min(_time) as _time <BR /> sum(nmds_app_dest_survey.bytes) as bytes <BR /> sum(nmds_app_dest_survey.flow_count) as flow_count <BR /> FROM datamodel=nmdm_app_dest_survey <BR /> WHERE _index_earliest=-h@h AND _index_latest=@h<BR /> BY nmds_app_dest_survey.dest_and_port</P> Wed, 30 Sep 2020 01:54:39 GMT https://community.splunk.com/t5/Reporting/Accelerated-data-model-and-indextime-field/m-p/462817#M7446 simpkins1958 2020-09-30T01:54:39Z https://community.splunk.com/t5/Reporting/Accelerated-data-model-and-indextime-field/m-p/462818#M7447 <P>if you switch this to |tstats _index_earliest=-h@h AND _index_latest=@h<BR /> and remove the where condition, does it work?</P> Wed, 30 Sep 2020 01:54:40 GMT https://community.splunk.com/t5/Reporting/Accelerated-data-model-and-indextime-field/m-p/462818#M7447 Sukisen1981 2020-09-30T01:54:40Z https://community.splunk.com/t5/Reporting/Accelerated-data-model-and-indextime-field/m-p/462819#M7448 <P>No. That does not work either.<BR /> Error in 'stats' command: The argument '_index_earliest=-h@h' is invalid.</P> Wed, 30 Sep 2020 01:54:43 GMT https://community.splunk.com/t5/Reporting/Accelerated-data-model-and-indextime-field/m-p/462819#M7448 simpkins1958 2020-09-30T01:54:43Z https://community.splunk.com/t5/Reporting/Accelerated-data-model-and-indextime-field/m-p/462820#M7449 <P>@simpkins1958 did you ever get this to work? I am currently running into the same problem. </P> Fri, 24 Jan 2020 20:09:38 GMT https://community.splunk.com/t5/Reporting/Accelerated-data-model-and-indextime-field/m-p/462820#M7449 ninjaunicorn101 2020-01-24T20:09:38Z https://community.splunk.com/t5/Reporting/Accelerated-data-model-and-indextime-field/m-p/462821#M7450 <P>At this time _indextime fields are not included in the datamodel accelerations. I imagine this is due to optimization with regards to both disk space and memory usage during the acceleration process. </P> <P>If you are interested in having a field that tracks the time the accelerated event gets written to disk, then I encourage you to submit the idea to the ideas portal at <A href="https://ideas.splunk.com/">https://ideas.splunk.com/</A>.</P> Fri, 10 Apr 2020 20:24:07 GMT https://community.splunk.com/t5/Reporting/Accelerated-data-model-and-indextime-field/m-p/462821#M7450 cstump_splunk 2020-04-10T20:24:07Z https://community.splunk.com/t5/Reporting/Accelerated-data-model-and-indextime-field/m-p/522667#M8485 <P>Why don't you add a new field to your datamodel and assign it the _indextime value ?</P> Fri, 02 Oct 2020 13:20:48 GMT https://community.splunk.com/t5/Reporting/Accelerated-data-model-and-indextime-field/m-p/522667#M8485 samsplunks 2020-10-02T13:20:48Z https://community.splunk.com/t5/Reporting/Accelerated-data-model-and-indextime-field/m-p/685366#M12444 <P>| tstats count WHERE index=_internal _index_earliest=-1h _index_latest=now<BR /><BR />Just set your time range for the search to be greater than the expected delay</P><P>* earliest_time = <A href="mailto:-1d@d" target="_blank">-1d@d</A><BR />* latest_time = <A href="mailto:+60d@d" target="_blank">+60d@d</A>&nbsp;</P> Wed, 24 Apr 2024 19:50:18 GMT https://community.splunk.com/t5/Reporting/Accelerated-data-model-and-indextime-field/m-p/685366#M12444 GreenFish 2024-04-24T19:50:18Z