Splunk Enterprise

tstats and child dataset

secuc2r83
Path Finder

Hello splunk comunity,

I think i'm missing something between datamodel and child dataset
My goal: In my proxy logs, i add 2 tags (risky/clean) for some destination. I need to print percent of risky/clean trafic for each hour

My accelerated datamodel DM1 hierarchy (Summary for 3 month):

DM1:
     - DS1      (root event:    sourcetype=proxy)
        - DS11  (child:         tag=risky )
        - DS12  (child:     tag=clean eventtype="out_*)

If i check EVENTS for child "DS12" for 2hours (2PM - 4PM)

| datamodel DM1 DS12 search
        125000 events 
        field "action"= 8 values
        herited field "DS1.application" = 7 values

If i check STATS for child "DS12" for 2hours (2PM - 4PM)

Events for each hour:

| tstats count from datamodel=DM1 where (nodename = DS1.DS12) groupby _time span=1h
            *No results*

Count by application for each hour:

| tstats count(DS1.application) from datamodel=DM1 where (nodename = DS1.DS12) groupby _time span=1h
            *No results*

If i check STATS from .TSIDX (accelerated datamodel) for 2hours (2PM - 4PM):
Ok for root object DS1:

 | tstats summariesonly=true count, values(DS1.application) AS "Appli" from datamodel=DM1 where (nodename=DS1) groupby _time span=1h
                    _time           count       Appli
                    2PM             57000       xxx
                    3PM             4309        yyy
                    4PM             44537       zzz

But nothing for child object DS12:

| tstats summariesonly=t count, values(DS1.application) AS "Appli" from datamodel=DM1 where (nodename = DS1.DS12) groupby _time span=1h
                            *No results*

Then: I have events on my child DS12
I could do stats on root event in my 2 .tsidx (datamodel and Accelerated datamodel) but impossible for child events on same .tsidx

Thanks in advance.
(For info: tag and eventtype are multivalue fields containing more than 1 entry: tag = test1, risky / eventtype = out_if1, Compliance)

Tags (1)
0 Karma

secuc2r83
Path Finder

Hi DalJeanis and thanks for your help

(Time range for the tests = 24h / Summary range=3 months / Status in datamodel settings = 100% completed)

No problem with datamodel (DM1) or root object (DS1)

  | tstats count from datamodel=DM1 
        count
        1245876

  | tstats count from datamodel=DM1 by _time span=1h
        _time           count
        2PM             123
        3PM             345

  | tstats count from datamodel=DM1.DS1 
        count
        6789900

  | tstats count from datamodel=DM1.DS1  by _time span=1h
        _time           count
        2PM             345
        3PM             567

But impossible for child event (DS11 or DS12)

  | tstats count from datamodel=DM1.DS1.DS11 
        Error in TsidxStats: Invalid or unaccelerate root object for datamodel 

   | tstats count from datamodel=DM1.DS1.DS11  by _time span=1h
        Error in TsidxStats: Invalid or unaccelerate root object for datamodel 

But i can check child content (via datamodel) and tstats something via nodename (i don't know what represents the stats):

  | datamodel DM1 DS11 search
        125998 events with fields herited (DS1.action, DS1.dest....)

 | tsats count from datamodel=DM1.DS1 where nodename=DS1.DS11
        count
        1345

When i try for a time range (2PM - 6PM)

  | tsats count from datamodel=DM1.DS1 where nodename=DS1.DS11 by _time span=1h
        _time           count
        4PM             887

=> Nothing for other hour (2PM, 3PM)

=> In the last example: if i change time range for 7days, same result! (same number of events for 24h than 7days!!!)
Strange!

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Okay, I'd be trying to figure out where you are losing it. Does each of these return any results?

 | tstats count from datamodel=DM1 

 | tstats count from datamodel=DM1 by _time span=1h

 | tstats count from datamodel=DM1.DS1 

 | tstats count from datamodel=DM1.DS1  by _time span=1h

 | tstats count from datamodel=DM1.DS1.DS11 

 | tstats count from datamodel=DM1.DS1.DS11  by _time span=1h
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...