https://community.splunk.com/t5/Splunk-Search/Is-this-search-just-counting-the-number-of-events-in-this/m-p/270742#M81491 <P>This is the search:</P> <PRE><CODE>| tstats count from datamodel=Authentication where nodename=Authentication.Privileged_Authentication by _time span=1h | timechart span=1h count </CODE></PRE> <P>Is this search counting the number of events in the "Priviliged_Aunthentication" node from the datamodel "Authentication" grouped into 1 hour periods?</P> Mon, 24 Oct 2016 17:32:24 GMT Justin1224 2016-10-24T17:32:24Z https://community.splunk.com/t5/Splunk-Search/Is-this-search-just-counting-the-number-of-events-in-this/m-p/270742#M81491 <P>This is the search:</P> <PRE><CODE>| tstats count from datamodel=Authentication where nodename=Authentication.Privileged_Authentication by _time span=1h | timechart span=1h count </CODE></PRE> <P>Is this search counting the number of events in the "Priviliged_Aunthentication" node from the datamodel "Authentication" grouped into 1 hour periods?</P> Mon, 24 Oct 2016 17:32:24 GMT https://community.splunk.com/t5/Splunk-Search/Is-this-search-just-counting-the-number-of-events-in-this/m-p/270742#M81491 Justin1224 2016-10-24T17:32:24Z https://community.splunk.com/t5/Splunk-Search/Is-this-search-just-counting-the-number-of-events-in-this/m-p/270743#M81492 <P>"Authentication" is the object name. The "nodename" on tstats is not hostname. It is to specify the node-name of the object hierarchy on CIM model.<BR /> More info about nodename.<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Tstats" target="_blank">https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Tstats</A></P> <P><STRONG>An accelerated data model object</STRONG><BR /> When you select data within an accelerated data model, you can further constrain your search by indicating an object within that data model that you want to select data from. You do this by using a where clause to indicate the nodename of the data model object. The nodename value indicates where the object is in a data model hierarchy.</P> <P>When you use nodename in a search, you always use the following construction: FROM datamodel= where nodename=..&lt;...&gt;..</P> <P>For example, say you want to search on an object named scheduled_reports in your internal_server data model. In that data model, the scheduled_reports object is a child of the scheduler object, which in turn is a child of the server root event object. This means that you should represent the scheduled_report object in your search as <CODE>nodename=server.scheduler.scheduled_reports</CODE>.</P> <P>If you run that search and decide you want to search on the contents of the scheduler data model object instead, you would use <CODE>nodename=server.scheduler</CODE> in your new search.</P> Tue, 29 Sep 2020 11:32:20 GMT https://community.splunk.com/t5/Splunk-Search/Is-this-search-just-counting-the-number-of-events-in-this/m-p/270743#M81492 inventsekar 2020-09-29T11:32:20Z https://community.splunk.com/t5/Splunk-Search/Is-this-search-just-counting-the-number-of-events-in-this/m-p/270744#M81493 <P>Right, so the search is doing what I described then?</P> Mon, 24 Oct 2016 21:20:24 GMT https://community.splunk.com/t5/Splunk-Search/Is-this-search-just-counting-the-number-of-events-in-this/m-p/270744#M81493 Justin1224 2016-10-24T21:20:24Z https://community.splunk.com/t5/Splunk-Search/Is-this-search-just-counting-the-number-of-events-in-this/m-p/270745#M81494 <P>You're right. However, the last <CODE>timechart</CODE> is not needed</P> Mon, 24 Oct 2016 21:56:51 GMT https://community.splunk.com/t5/Splunk-Search/Is-this-search-just-counting-the-number-of-events-in-this/m-p/270745#M81494 sundareshr 2016-10-24T21:56:51Z