Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Discrepancy between datamodel, summaries, & raw search

richkappler
Path Finder
‎08-21-2018 07:55 AM

We are running SE 6.5.4, ES 4.7.1, Splunk_SA_CIM - 4.8.0

I'm getting a discrepancy between 3 searches over the exact same 15 minute period (any given 15 minute period) for the following 3 searches:

| tstats count FROM datamodel=Web WHERE Web.action=blocked BY Web.category (test case: 49 results)

| tstats summariesonly count FROM datamodel=Web WHERE Web.action=blocked BY Web.category (test case: 44 results)

index=XXXX_proxy action=blocked | stats count by category (test case: 49 results)

Web datamodel is accelerated, Earliest time as set in CIM setup = 2 month

The disparity is not consistent. Sometimes the result count is equal for all 3 searches, sometimes the 2 data model searches are equal and raw is different, etc.

This is making us question the validity of our data models, it seems all three result sets should be the same.

How should I troubleshoot this?

0 Karma
Reply

DalJeanis
Legend
‎08-21-2018 11:26 AM

You didn't say what your latest= might be.

Run for a period that is both recent and safely in the past, where acceleration is sure to be complete, and where the time bounds match those on your acceleration rather than breaking across them. The three should match completely.

If they do not, then narrow the time frame until you identify a short part of the time frame where there is a difference, probably in your third search.

Then, look at the individual events and find which one is different. If this condition is true, then chances are, there is an event that matches the criteria of your third search but does not match the criteria of the CIM.

Correct either the CIM or the non-CIM search.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-21-2018 10:02 AM

Depending on when the tstats command runs, the summariesonly option will make a difference in the results. If a datamodel acceleration is in progress, summariesonly=true tells tstats to ignore the incomplete DMA.

Otherwise, I cannot explain this phenomenon even though I've seen it myself.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...