Solved: Re: Calculated Data Model Field Value Inaccessible

joeldavideng · ‎12-25-2017

I created a data model called "Process_Creation" with a calculated field that represents the length of a specific string in the modeled events called "command_line_length". I can display the correct values for each event using a table command with "Process_Creation.command_line_length", however that seems to be all I can do with the data model field. When I attempt to compare the value to any numerical value I get zero results no matter the comparison type.

The calculated field is stored as a number and the values are correct so I suspect the "where" command is not referencing the actual stored value. Any ideas?

| datamodel Process_Monitoring Process_Creation search | eval threshold = [ | search index=summary "search_name=pm_command_line_length_stats" earliest=-90d@d latest=-1d@d | stats avg(command_line_length) AS command_line_average stdev(command_line_length) AS command_line_stdev | eval threshold = round(command_line_average + ( command_line_stdev * 6 )) | return $threshold ] | where Process_Creation.command_line_length > threshold

joeldavideng · ‎12-26-2017

For anyone else with the same problem, it appears that doing comparisons against the actual value of a data model field requires you to use enclosing $s to get the value rather than the variable reference.

View solution in original post

joeldavideng · ‎12-26-2017

For anyone else with the same problem, it appears that doing comparisons against the actual value of a data model field requires you to use enclosing $s to get the value rather than the variable reference.

niketn · ‎12-26-2017

@joeldavideng, can you add the final query that worked for you in your answer as well?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

joeldavideng · ‎12-27-2017

Sure thing, it was very close to the original.

| datamodel Process_Monitoring Process_Creation search | eval threshold = [ | search index=summary "search_name=pm_command_line_length_stats" earliest=-90d@d latest=-1d@d | stats avg(command_line_length) AS command_line_average stdev(command_line_length) AS command_line_stdev | eval threshold = round(command_line_average + ( command_line_stdev * 6 )) | return $threshold ] | where $Process_Creation.command_line_length$ > threshold

harsmarvania57 · ‎12-25-2017

Hi @joeldavideng,

To start diagnose the issue first try to search | datamodel Process_Monitoring Process_Creation search | where Process_Creation.command_line_length > 0 are you getting any result ?

joeldavideng · ‎12-26-2017

Performing that query threw a type error "Typechecking failed. The '>' operator received different types" which would indicate that the value is stored as the wrong type. I checked the data model and that field is explicitly set as a number. Is there an implicit cast when you reference the data model?

joeldavideng · ‎12-26-2017

I randomly decided to try adding some $'s to the field to see if I could extract the value of the field and it worked.

| datamodel Process_Monitoring Process_Creation search | where $Process_Creation.command_line_length$ > 100

I guess the calculated fields in a data model behave differently than adhoc fields calculated at search time in a query.

Calculated Data Model Field Value Inaccessible

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation