https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401491#M116224 <P>OK, we figured out the exact syntax: our datamodel has an object named "Package", which has such extracted fields as "length", "width", "height" and a calculated "tot_dim" which is a sum of the three dimensions. It also has a "token" field, which for some reason is not extracted properly, so I tested the GROUPBY syntax on some other field.</P> <P>All in all, it looks like this:</P> <PRE><CODE>| tstats count first(Package.tot_dim) AS tot_dim1 last(Package.tot_dim) AS tot_dim2 from datamodel=Our_Datamodel where index=our_index by Package.token | search count=2 </CODE></PRE> <P>Shall we agree that some of Splunks intricacies are somewhat underdocumented? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Oh, and we are still in 6.6.2 - though I doubt it changes much in the latest version.</P> Thu, 10 Jan 2019 17:57:09 GMT arkadyz1 2019-01-10T17:57:09Z https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401484#M116217 <P>We have an index with quite a few index-time fields, and an accelerated datamodel that adds a calculated field there. Our objective is to group by one of the fields, find the first and the last value of some other field and compare them. Unfortunately, a usual <CODE>| tstats first(length) as length1 last(length) as length2 from datamodel=ourdatamodel groupby token</CODE> does not work.</P> <P>Just <CODE>tstats</CODE> using the index but not the data model works, but it lacks that calculated field that's only in the datamodel, so it does not satisfy our needs.</P> <P>I can add more precise search strings as replies to clarify things if needed.</P> Wed, 09 Jan 2019 21:59:25 GMT https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401484#M116217 arkadyz1 2019-01-09T21:59:25Z https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401485#M116218 <P>Does your datamodel tstats search work without <CODE>groupby</CODE>? </P> Thu, 10 Jan 2019 03:05:17 GMT https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401485#M116218 dflodstrom 2019-01-10T03:05:17Z https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401486#M116219 <P>The <CODE>length</CODE> and <CODE>token</CODE> fields are in the datamodel, right? If so, it should be:</P> <PRE><CODE>| tstats first(Our_Datamodel.length) AS length1 last(Our_Datamodel.length) AS length2 FROM datamodel=ourdatamodel WHERE index=* BY Our_Datamodel.token </CODE></PRE> Thu, 10 Jan 2019 03:18:34 GMT https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401486#M116219 woodcock 2019-01-10T03:18:34Z https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401487#M116220 <P>Not sure - never tried it, as we need that by/groupby anyway. I think our mistake was a wrong field notation - we did not realize that datamodel fields are referenced as <CODE>datamodelname.fieldname</CODE>. Thanks to @woodcock 's answer below, we realized our mistake.</P> Thu, 10 Jan 2019 15:07:51 GMT https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401487#M116220 arkadyz1 2019-01-10T15:07:51Z https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401488#M116221 <P>Could you please clarify: if our datamodel is named "Our Datamodel" with internal name <CODE>Our_Datamodel</CODE>, it has an event named <CODE>Event</CODE> and in it are a couple of fields named <CODE>length</CODE> and <CODE>token</CODE>, what would be our search string?</P> Thu, 10 Jan 2019 15:57:44 GMT https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401488#M116221 arkadyz1 2019-01-10T15:57:44Z https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401489#M116222 <P>I have updated my answer with what should probably work. If you post your <CODE>Our_Datamodel.json</CODE> then I can say for sure.</P> Thu, 10 Jan 2019 16:13:51 GMT https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401489#M116222 woodcock 2019-01-10T16:13:51Z https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401490#M116223 <P>If an answer or comment has helped you, then you should <CODE>UpVote</CODE> it; if it solved it for you, then you should click <CODE>Accept</CODE> to close the question.</P> Thu, 10 Jan 2019 16:15:49 GMT https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401490#M116223 woodcock 2019-01-10T16:15:49Z https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401491#M116224 <P>OK, we figured out the exact syntax: our datamodel has an object named "Package", which has such extracted fields as "length", "width", "height" and a calculated "tot_dim" which is a sum of the three dimensions. It also has a "token" field, which for some reason is not extracted properly, so I tested the GROUPBY syntax on some other field.</P> <P>All in all, it looks like this:</P> <PRE><CODE>| tstats count first(Package.tot_dim) AS tot_dim1 last(Package.tot_dim) AS tot_dim2 from datamodel=Our_Datamodel where index=our_index by Package.token | search count=2 </CODE></PRE> <P>Shall we agree that some of Splunks intricacies are somewhat underdocumented? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Oh, and we are still in 6.6.2 - though I doubt it changes much in the latest version.</P> Thu, 10 Jan 2019 17:57:09 GMT https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401491#M116224 arkadyz1 2019-01-10T17:57:09Z https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401492#M116225 <P>I voted up an answer by @woodcock as it gave us the right idea. Here is the syntax that works:</P> <PRE><CODE> | tstats count first(Package.tot_dim) AS tot_dim1 last(Package.tot_dim) AS tot_dim2 from datamodel=Our_Datamodel where index=our_index by Package.token | search count=2 </CODE></PRE> <P>Now for the details: we have a datamodel named <CODE>Our_Datamodel</CODE> (make sure you refer to its internal name, not display name), an object named <CODE>Package</CODE> within it and fields named <CODE>tot_dim</CODE> and <CODE>token</CODE>. The <CODE>| search count=2</CODE> addition is for illustration only - you can pipe the tstats command into many other commands.</P> Thu, 10 Jan 2019 18:15:46 GMT https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401492#M116225 arkadyz1 2019-01-10T18:15:46Z https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401493#M116226 <P>Perfect. Be sure to <CODE>UpVote</CODE> and helpful comments and answers and the click on <CODE>Accept</CODE> to the best answer to close the question.</P> Thu, 10 Jan 2019 19:01:32 GMT https://community.splunk.com/t5/Splunk-Search/How-come-our-tstats-with-datamodel-does-not-group-by-field/m-p/401493#M116226 woodcock 2019-01-10T19:01:32Z