All Apps and Add-ons

tstat and stat commands do not return any result

vtsco
New Member

I use Splunk v7.2 on a Windows server. I have installed some add-ons and apps. The problem is that any query that uses stat or tstat does not return any result (they just return 0).

For example, this is a query from Modsecurity's app:

| tstats summariesonly=true count from datamodel=modsecurity_alerts

I believe I have installed the app correctly.

In addition to that, some of the queries from Splunk app for Windows infrastructure also don't work, this is one of them:

| inputlookup windows_event_system | dedup Host | stats count

I have been googling for a while, but with no luck. Any help is highly appreciated.

0 Karma
1 Solution

gfreitas
Builder

Hey man, it seems the search is using accelerate datamodels (first search). Please make sure the datamodel is accelerated. A good idea as well is to run the root search that populates the datamodel to make sure it is matching something. To find that search, click on Settings > Data Models > Open the above datamodel then copy the search that should be under Constraints and use it on a search. If it is not showing anything you either need to adjust your data or adjust the search that populates the datamodel.

About the lookup, it seems it was never populated. You have an option to build the the lookups on the App Configuration.

Hope that helps.

View solution in original post

0 Karma

gfreitas
Builder

Hey man, it seems the search is using accelerate datamodels (first search). Please make sure the datamodel is accelerated. A good idea as well is to run the root search that populates the datamodel to make sure it is matching something. To find that search, click on Settings > Data Models > Open the above datamodel then copy the search that should be under Constraints and use it on a search. If it is not showing anything you either need to adjust your data or adjust the search that populates the datamodel.

About the lookup, it seems it was never populated. You have an option to build the the lookups on the App Configuration.

Hope that helps.

0 Karma

vtsco
New Member

Accelerating the datamodel fixed the problem, thank you very much!

0 Karma

codebuilder
Influencer

For tstats count you need to use "where" not "from".

Try this:

 | tstats summariesonly=true count where datamodel=modsecurity_alerts
----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...