Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Data Model adding indexes

gcusello
SplunkTrust
SplunkTrust
‎06-01-2017 02:00 AM

Hi at all,
I have a search very simple (tag=MYTAG) that gives to me results that I use in a timechart count by a field (my_field) and correctly runs giving time distribution for the two values of my_field (OK, KO).

tag=MYTAG | timechart count by my_field

If I use it in a Data Model, I have as result of the related Pivot three values (OK, KO, NULL) instead the correct two values.

Exploding results as search, I see that Data Model added to my search (tag=MYTAG) the additional condition
(index=* OR index=_*) that gives the problem of the NULL values.

Why this appens? I was wrong in Data Model Configuration?
Is there a way to avoid this?

Thank you in advance.
Bye.
Giuseppe

0 Karma
Reply

hardikJsheth
Motivator
‎06-01-2017 03:32 AM

When you run tag=MYTAG | timechart count by my_field this query from search window it hits only the default indexes as per your role. By default it's main index.

When you use the same search as base search for your data models the default index will be that of the admin user.

You will get same result if you add add macro in your base search for data model:

get_index | search tag="MYTAG"

In the macro define only the index that you want to search rather than index=*.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-01-2017 06:33 AM

Thanks hardikJsheth,
but MYTAG search is index=my_index sourcetype=my_sourcetype so the problem isn't the default indexes path.
The problem that I don't understand is why Data Model adds the condition (index=* OR index=_*) ?

Bye.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...