|datamodel Authentication search | search Authentication.action=success works as expected and finds thousands of events correctly, but when I try
|tstats count from datamodel=Authentication by Authentication.action I only find failures and unknowns, and no successes.
I see the constraint
('cim_Authentication_indexes') tag=authentication NOT (action=success user=*$) an ran a search like that and was also able to see action=success events, so I don't know what's going on.
What's wrong with the acceleration? Why I can't find any Authentication.action=success events?
Did you try a
| tstats summariesonly=false count from datamodel=Authentication by Authentication.action?
On the other hand,
(action=success has a logical AND condition between
Yup, summariesonly=false doesn't help
Also yes, it's an AND, as I said, using the constraint directly on the search works perfect and I'm able to find events with action=success. I don't know why the acceleration would replace the success with unknowns, without acceleration it works fine.
If summariesonly=false doesn't produce results, then the problem isn't the acceleration, it's that the data's probably not normalized properly. There's no data to accelerate.
Try running "
cim_Authentication_indexes tag=authentication | stats values(action)" - is "success" one of the listed values?
That works fine.
When the DM is not accelerated I can find action=success, but if accelerated I can only find action=failure or action=unknown, for some reason the field calculation for the action field in the DM ignores all the action=success and rewrite them as unknown.
Hi there - having the same problem with my accelerated data in ES.
Success is listed as a value when I search
cim_Authentication_indexes tag=authentication | stats values(action).
Not sure what's happening!
Are you sure your tstats have access to all Indexes? Sometimes, you may have whitelisted only specific indexes in your CIM
Yes, permissions is not an issue.
Have you tried reproducing this issue?
It only happens when acceleration is checked on the Data model
Are the events all coming from data extracted by a single app/TA? If so, make sure that the app is imported into ES (if it is an ES search head), and make sure the permission on the app and KO are correct.
My client is not using Enterprise Security (ES).
We are developing an application with a few dashboards using the CIM Data Models.
All the Fields extractions and calculations are working fine from their own TA/Splunk_TA but when accelerated the summary indices are not collection events with action=success.