Knowledge Management

What are some use cases where it is best to use accelerated datamodels?


Hi there.

The only possible way to access accelerated datamodels is by using the tstats command. It is tricky to use tstats in general and for extracting single events.
So, why even using accerelated datamodels if only one command is supported to access it?

0 Karma


Your question shows that first, you need to go read these pages:

Accelerated data models do not HAVE to use tstats. In fact, you CANNOT use an accelerated data model unless at least one of the root hierarchies includes only streaming commands. (In other words, unless one of the data models is going for raw data on the indexers that has not been "blended" in any way with other data.)

So, tstats isn't involved in the acceleration.

You CAN use tstats within a data model, but it is not required:

You can also use tstats to get data OUT of a data model:

Once you've reviewed those references, please let us know what other questions we can help you with on this.


Thanks for your answer. But as MuS expected doesn't it reflect my question.

Lets start in the beginning.

Datamodels are great to structure unstructured data. We all know what they are and how to create them or us them from the CIM.

Accelerated datamodels are created with a scheduled search, which run every 15min for a defined searchrange. Those models use additional storage on the indexers and of course CPU power to create them. In fact they are resourceful.

Because the creation of accelerated datamodels is expensive, they must have a added value. In my opinion the value is that the data is accessible much faster. But the only way to access those data is by using tstats

| tstats summariesonly=t avg(foo) FROM datamodel=buttercup_games WHERE bar=value2 baz>5

But I don't only want to create stats of accelerated datamodels. I want to make searches on the data within the accelerated datamodel and get events out of it. Something like

search datamodel=buttercup_games foo=value bar=value2

But there is no such command.

so, why using accelerated datamodels if we only can make tstats and not properly search for events?

0 Karma


I reckon the question is about the usage of tstats against datamodel, like in

 | tstats count FROM datamodel=network WHERE foo=baz ....

not on the usage of tstats in the datamodel root/search events ... but I could also be wrong ¯\_(ツ)_/¯

cheers, MuS

0 Karma