Reporting

Why is the tstats summaries not returning child's fields only?

cabrini77
Engager

Hi,

I'm new to Datamodel then perhaps my 2 questions are basics I checked google and docs but wasn't able to find an answer.

First:
Impossible to see child's fields when using summariesonly (no problem for root's fields)
With tstats I have results when counting "tag" for my root's "S" or child's "S.goog"

| tstats count from datamodel=proxy where earliest=-10m nodename=S by S.tag
        S.tag           count   
        Compliance      22213
        Denied          5693
        error           229
        google          8084

| tstats count from datamodel=proxy where earliest=-10m nodename=S.goog by S.tag
        S.tag           count   
        Compliance      1263
        error           10
        google          8120

With tstats summariesonly=t i have only results for root:

| tstats summariesonly=t count from datamodel=proxy where earliest=-10m nodename=S by S.tag
        S.tag           count   
        Compliance      7702
        Denied          1833
        error           73 

| tstats summariesonly=t count from datamodel=proxy where earliest=-10m nodename=S.goog by S.tag
        No result found

I thought summariesonly was to tell splunk to check only accelerated's .tsidx (not to check data not accelerated)
In doc's splunk:
"To accelerate a data model, it must contain at least one root event dataset, or one root search dataset that only uses streaming commands. Acceleration only affects these dataset types and datasets that are children of those root datasets."

Then why can't I see child's fields like S.tag or nodename=S.goog in .tsidx?
Do I have to activate something on child?

Secondly:
I have a result when I search "last days", "last hour", earliest=-10m but nothing happens if I choose a timerange: Is it a bug in Splunk v6.5 ?

Cheers

1 Solution

secuc2r83
Path Finder

@cabrini,it looks like a right's problem
Check permissions on each element you try to use in your datamodel to be sure it's notprivate

View solution in original post

0 Karma

MattibergB
Path Finder

Hi,

Did you ever find out why this happend?
We have a similiar issue and when i create a clone of the datamodel i am able to use tstats..

Thanks!

0 Karma

secuc2r83
Path Finder

@cabrini,it looks like a right's problem
Check permissions on each element you try to use in your datamodel to be sure it's notprivate

0 Karma

cabrini77
Engager

Thks evnettype's wasn't..., i had just check tags.

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...