Solved: Splunk inherit calculated datamodel field don't sh...

burakatabay · ‎08-19-2020

Hi Splunkers,

I try to get some fields on datamodel. And my search is ;

| tstats `summariesonly` count from datamodel=Change where nodename=All_Changes.Account_Management.Accounts_Created  by All_Changes.src_user

And src_user field inherit from Account_Management root node.

This search return a results but not showing in web page.

But I do same thinks on data model pivoting, result is showing.

How ı fix the problem ?

Thank you.

harsmarvania57 · ‎08-19-2020

Use below query, src_user field has been extracted under Account_Management

| tstats `summariesonly` count from datamodel=Change where nodename=All_Changes.Account_Management.Accounts_Created  by All_Changes.Account_Management.src_user

View solution in original post

harsmarvania57 · ‎08-19-2020

Use below query, src_user field has been extracted under Account_Management

| tstats `summariesonly` count from datamodel=Change where nodename=All_Changes.Account_Management.Accounts_Created  by All_Changes.Account_Management.src_user

Splunk inherit calculated datamodel field don't show in search but show in pivot.

calculated field

data model

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7