Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Discrepancy between datamodel, summaries, & raw search

richkappler
Path Finder
‎08-21-2018 07:55 AM

We are running SE 6.5.4, ES 4.7.1, Splunk_SA_CIM - 4.8.0

I'm getting a discrepancy between 3 searches over the exact same 15 minute period (any given 15 minute period) for the following 3 searches:

| tstats count FROM datamodel=Web WHERE Web.action=blocked BY Web.category (test case: 49 results)

| tstats summariesonly count FROM datamodel=Web WHERE Web.action=blocked BY Web.category (test case: 44 results)

index=XXXX_proxy action=blocked | stats count by category (test case: 49 results)

Web datamodel is accelerated, Earliest time as set in CIM setup = 2 month

The disparity is not consistent. Sometimes the result count is equal for all 3 searches, sometimes the 2 data model searches are equal and raw is different, etc.

This is making us question the validity of our data models, it seems all three result sets should be the same.

How should I troubleshoot this?

0 Karma
Reply

DalJeanis
Legend
‎08-21-2018 11:26 AM

You didn't say what your latest= might be.

Run for a period that is both recent and safely in the past, where acceleration is sure to be complete, and where the time bounds match those on your acceleration rather than breaking across them. The three should match completely.

If they do not, then narrow the time frame until you identify a short part of the time frame where there is a difference, probably in your third search.

Then, look at the individual events and find which one is different. If this condition is true, then chances are, there is an event that matches the criteria of your third search but does not match the criteria of the CIM.

Correct either the CIM or the non-CIM search.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-21-2018 10:02 AM

Depending on when the tstats command runs, the summariesonly option will make a difference in the results. If a datamodel acceleration is in progress, summariesonly=true tells tstats to ignore the incomplete DMA.

Otherwise, I cannot explain this phenomenon even though I've seen it myself.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...