Knowledge Management

Data model misses events when using a calculated field constraint

mrmarshall
Engager

I have a data model in Splunk with a root event and two child events. The child events have a constraint that uses a calculated field. When I search the child events, only recent data is returned. This only happens when data model acceleration is enabled.

The child constraint: latency>0

Example
When I count the total number of events, the total is always correct:

| tstats count from datamodel=dmdemo.rooteventdemo where nodename=rooteventdemo
Results: 580,220

Which is roughly the same as:
| datamodel dmdemo rooteventdemo search
Results: 580,704

However, when I search the child:

| tstats count from datamodel=dmdemo.rooteventdemo where nodename=rooteventdemo.child1
Results: 0.

Which is the same as:
| datamodel dmdemo child1 search
Results: 0
Note: these values change continuously when I search for the latest 15 min.

When I disable report acceleration, tstats obviously doesn't work but the search is working fine again:

| tstats count from datamodel=dmdemo.rooteventdemo where nodename=rooteventdemo.child1
Results: 0

| datamodel dmdemo child1 search
Results: 474,045

The total result is as expected:

| datamodel dmdemo rooteventdemo search | search rooteventdemo.field1>0
Results: 474,045

| datamodel dmdemo rooteventdemo search | where 'rooteventdemo.field1'>0
Results: 474,045

I've also created a new data model where the calculated field is used as a root event. This is still causing the same issues, so the issue is not caused because it's a child data set.

Does anyone know what is causing this and how to fix it? I've thought of simply sending the calculated field to Splunk or perhaps to create the calculated field at index time, but I think Splunk data models should be able to cope with calculated fields.

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...