Installation

Why does the tstats with datamodel return 0 results after upgrade to Splunk 6.6.5 from Splunk 6.5.3?

clanier
Explorer

Hello!

Looking for some troubleshooting tips.

We have two separate Search Heads while we migrate our Applications from Splunk Search Head Version 6.5.3 to 6.6.5.

All of our various apps work flawlessly with the upgrade, however not one of our implementations, specifically App for Web Proxies. Which utilizes tstats on the Web Data Model.

Below are the Environments and the searches run with output on the Search Head. I have also included something I am a little interested in regarding further investigation within the Job Inspector and expanding the Search Job Properties.

Splunk 6.5.3

| datamodel Web search

Data Model search returns the expected number of events

| tstats prestats=false local=false summariesonly=false count from datamodel=Web 

Returns the expected number of events

{   [-] 
    :   {   [-] 
        type:   str 
    }   
    Web.action: {   [-] 
        type:   str 
    }   
    Web.is_Proxy:   {   [-] 
        type:   num 
    }   
    nodename:   {   [-] 
        type:   str 
    }   
}

fieldMetadataEvents in search job inspector
Splunk 6.6.5

| datamodel Web search

Data Model search returns expected number of events

| tstats prestats=false local=false summariesonly=false count from datamodel=Web 

Problem area above returns no events

{   [-] 
    :   {   [-] 
        type:   str 
    }   
}

fieldMetadataEvents in search job inspector does not reflect pulling fields of the Data Model

If anyone has encountered something like this, or has a good idea on the best way to troubleshoot, I am all ears. Both search heads are pointed to similar indexers, as well as both versions of the apps installed on the Search Head are the same.

Thanks for your help!

Labels (2)
0 Karma
1 Solution

clanier
Explorer

An upgrade to the indexer solved this issue. Thanks.

View solution in original post

0 Karma

clanier
Explorer

An upgrade to the indexer solved this issue. Thanks.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...