All Apps and Add-ons

tstat and stat commands do not return any result

New Member

I use Splunk v7.2 on a Windows server. I have installed some add-ons and apps. The problem is that any query that uses stat or tstat does not return any result (they just return 0).

For example, this is a query from Modsecurity's app:

| tstats summariesonly=true count from datamodel=modsecurity_alerts

I believe I have installed the app correctly.

In addition to that, some of the queries from Splunk app for Windows infrastructure also don't work, this is one of them:

| inputlookup windows_event_system | dedup Host | stats count

I have been googling for a while, but with no luck. Any help is highly appreciated.

0 Karma
1 Solution

Builder

Hey man, it seems the search is using accelerate datamodels (first search). Please make sure the datamodel is accelerated. A good idea as well is to run the root search that populates the datamodel to make sure it is matching something. To find that search, click on Settings > Data Models > Open the above datamodel then copy the search that should be under Constraints and use it on a search. If it is not showing anything you either need to adjust your data or adjust the search that populates the datamodel.

About the lookup, it seems it was never populated. You have an option to build the the lookups on the App Configuration.

Hope that helps.

View solution in original post

0 Karma

Builder

Hey man, it seems the search is using accelerate datamodels (first search). Please make sure the datamodel is accelerated. A good idea as well is to run the root search that populates the datamodel to make sure it is matching something. To find that search, click on Settings > Data Models > Open the above datamodel then copy the search that should be under Constraints and use it on a search. If it is not showing anything you either need to adjust your data or adjust the search that populates the datamodel.

About the lookup, it seems it was never populated. You have an option to build the the lookups on the App Configuration.

Hope that helps.

View solution in original post

0 Karma

New Member

Accelerating the datamodel fixed the problem, thank you very much!

0 Karma

Motivator

For tstats count you need to use "where" not "from".

Try this:

 | tstats summariesonly=true count where datamodel=modsecurity_alerts
0 Karma