Data Model or Pivot dedup

romansul · ‎03-18-2019

I generated a Data Model and accelerated it. The data consists of Months (Jan, Feb, etc), Suppliers(A, B,C), Machines (hostnames) and the final output has to be a stacked barchart displaying count of Providers events on our Machines per Months.

The issue is that I only have to count a maximum of 1 event per Machine in a month. When I only searched directly, a simple "| dedup Month Provider Hostname" solved the problem but now, as the data model must be accelerated, I cannot use dedup. Also, I cannot find how to use dedup in the barchart search generated by Pivot UI.

Could somebody please point me a direction regarding a dedup alternative for DataModels or Pivot searches?
Thanks!

lakshman239 · ‎03-18-2019

You could use | from datamodel:"your_dm_name" | stats count(Providers) count(hostname) by month and change as needed.

romansul · ‎03-19-2019

Thanks for the reply. If i use "datamodel" i've noticed that it will load the data very slow, as it will not use the accelerated version. Is there a way of specifying to use the accelerated data?

lakshman239 · ‎03-19-2019

you can use tstats , say something like | tstats count(Providers) count(hostname) from datamodel="your_dm_name" groupby dm_name.month

change as per your field names

Data Model or Pivot dedup

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation