Reporting
Highlighted

Accelerated data model and _indextime field

Contributor

We have an accelerated data model and would like to be able to use a where clause from TSTATS that includes:

indexearliest=-h@h AND indexlatest=@h

_indextime does seem to be a field that is available in the DMA. But trying to use the where clause above does not work.

We want to generate TSTATS values for events that have been indexed in the previous hour.

Here is the full SPL:
| tstats
min(time) as _time
sum(nmds
appdestsurvey.bytes) as bytes
sum(nmdsappdestsurvey.flowcount) as flowcount
FROM datamodel=nmdm
appdestsurvey
WHERE indexearliest=-h@h AND indexlatest=@h
BY nmdsappdestsurvey.destand_port

Labels (2)
Highlighted

Re: Accelerated data model and _indextime field

Champion

if you switch this to |tstats indexearliest=-h@h AND indexlatest=@h
and remove the where condition, does it work?

0 Karma
Highlighted

Re: Accelerated data model and _indextime field

Contributor

No. That does not work either.
Error in 'stats' command: The argument 'indexearliest=-h@h' is invalid.

0 Karma
Highlighted

Re: Accelerated data model and _indextime field

New Member

@simpkins1958 did you ever get this to work? I am currently running into the same problem.

0 Karma
Highlighted

Re: Accelerated data model and _indextime field

Splunk Employee
Splunk Employee

At this time _indextime fields are not included in the datamodel accelerations. I imagine this is due to optimization with regards to both disk space and memory usage during the acceleration process.

If you are interested in having a field that tracks the time the accelerated event gets written to disk, then I encourage you to submit the idea to the ideas portal at https://ideas.splunk.com/.

0 Karma