|datamodel Authentication search | search Authentication.action=success works as expected and finds thousands of events correctly, but when I try
|tstats count from datamodel=Authentication by Authentication.action I only find failures and unknowns, and no successes.
I see the constraint
('cim_Authentication_indexes') tag=authentication NOT (action=success user=*$) an ran a search like that and was also able to see action=success events, so I don't know what's going on.
What's wrong with the acceleration? Why I can't find any Authentication.action=success events?
|datamodel Authentication search | stats count by Authentication.action it the equivalent of querying
('cim_Authentication_indexes') tag=authentication NOT (action=success user=*$) with your user's permissions.
When you run :
|tstats count from datamodel=Authentication by Authentication.action you are reading the data from within the data model that can be running with other permission and reading other indices. Could you please confirm that both you and the DM owner user have the same permissions ?
Are the events all coming from data extracted by a single app/TA? If so, make sure that the app is imported into ES (if it is an ES search head), and make sure the permission on the app and KO are correct.
My client is not using Enterprise Security (ES).
We are developing an application with a few dashboards using the CIM Data Models.
All the Fields extractions and calculations are working fine from their own TA/Splunk_TA but when accelerated the summary indices are not collection events with action=success.
Did you try a
| tstats summariesonly=false count from datamodel=Authentication by Authentication.action?
On the other hand,
(action=success has a logical AND condition between
Yup, summariesonly=false doesn't help
Also yes, it's an AND, as I said, using the constraint directly on the search works perfect and I'm able to find events with action=success. I don't know why the acceleration would replace the success with unknowns, without acceleration it works fine.
If summariesonly=false doesn't produce results, then the problem isn't the acceleration, it's that the data's probably not normalized properly. There's no data to accelerate.
Try running "
cim_Authentication_indexes tag=authentication | stats values(action)" - is "success" one of the listed values?
That works fine.
When the DM is not accelerated I can find action=success, but if accelerated I can only find action=failure or action=unknown, for some reason the field calculation for the action field in the DM ignores all the action=success and rewrite them as unknown.
Hi there - having the same problem with my accelerated data in ES.
Success is listed as a value when I search
cim_Authentication_indexes tag=authentication | stats values(action).
Not sure what's happening!