Data Model adding indexes

gcusello · ‎06-01-2017

Hi at all,
I have a search very simple (tag=MYTAG) that gives to me results that I use in a timechart count by a field (my_field) and correctly runs giving time distribution for the two values of my_field (OK, KO).

tag=MYTAG | timechart count by my_field

If I use it in a Data Model, I have as result of the related Pivot three values (OK, KO, NULL) instead the correct two values.

Exploding results as search, I see that Data Model added to my search (tag=MYTAG) the additional condition
(index=* OR index=_*) that gives the problem of the NULL values.

Why this appens? I was wrong in Data Model Configuration?
Is there a way to avoid this?

Thank you in advance.
Bye.
Giuseppe

hardikJsheth · ‎06-01-2017

When you run tag=MYTAG | timechart count by my_field this query from search window it hits only the default indexes as per your role. By default it's main index.

When you use the same search as base search for your data models the default index will be that of the admin user.

You will get same result if you add add macro in your base search for data model:

get_index | search tag="MYTAG"

In the macro define only the index that you want to search rather than index=*.

gcusello · ‎06-01-2017

Thanks hardikJsheth,
but MYTAG search is index=my_index sourcetype=my_sourcetype so the problem isn't the default indexes path.
The problem that I don't understand is why Data Model adds the condition (index=* OR index=_*) ?

Bye.
Giuseppe

Data Model adding indexes

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?