Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Accelerated data model and _indextime field

simpkins1958
Contributor
‎08-27-2019 12:14 PM

We have an accelerated data model and would like to be able to use a where clause from TSTATS that includes:

_index_earliest=-h@h AND _index_latest=@h

_indextime does seem to be a field that is available in the DMA. But trying to use the where clause above does not work.

We want to generate TSTATS values for events that have been indexed in the previous hour.

Here is the full SPL:
| tstats
min(_time) as _time
sum(nmds_app_dest_survey.bytes) as bytes
sum(nmds_app_dest_survey.flow_count) as flow_count
FROM datamodel=nmdm_app_dest_survey
WHERE _index_earliest=-h@h AND _index_latest=@h
BY nmds_app_dest_survey.dest_and_port

Labels (2)
Reply

GreenFish
New Member
‎04-24-2024 12:46 PM

| tstats count WHERE index=_internal _index_earliest=-1h _index_latest=now

Just set your time range for the search to be greater than the expected delay

* earliest_time = -1d@d
* latest_time = +60d@d 

0 Karma
Reply

cstump_splunk
Splunk Employee
Splunk Employee
‎04-10-2020 01:24 PM

At this time _indextime fields are not included in the datamodel accelerations. I imagine this is due to optimization with regards to both disk space and memory usage during the acceleration process.

If you are interested in having a field that tracks the time the accelerated event gets written to disk, then I encourage you to submit the idea to the ideas portal at https://ideas.splunk.com/.

0 Karma
Reply

samsplunks
Explorer
‎10-02-2020 06:20 AM

Why don't you add a new field to your datamodel and assign it the _indextime value ?

0 Karma
Reply

Sukisen1981
Champion
‎08-27-2019 12:40 PM

if you switch this to |tstats _index_earliest=-h@h AND _index_latest=@h
and remove the where condition, does it work?

0 Karma
Reply

simpkins1958
Contributor
‎08-27-2019 01:22 PM

No. That does not work either.
Error in 'stats' command: The argument '_index_earliest=-h@h' is invalid.

0 Karma
Reply

ninjaunicorn101
New Member
‎01-24-2020 12:09 PM

@simpkins1958 did you ever get this to work? I am currently running into the same problem.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...