This search pulls all Authentication attempts from the Authentication datamodel,

| tstats summariesonly values(Authentication.action) as action,values(Authentication.app) as app,values(Authentication.src) as src,values(Authentication.dest) as dest,values(Authentication.user) as user,count from datamodel=Authentication.Authentication where $constraints$ by _time span=$span$

I just need this search refined to only pull Privileged Authentication Attempts, from the Privileged_Authentication dataset from the authentication datamodel but just changing datamodel=Authentication.Authentication to datamodel=Authentication.Privileged_Authentication doesn't work, because I get the error Error in 'DataModelCache': Invalid or unaccelerable root object for datamodel

The $constraints$ should be the same because the dataset Inherits the datamodel constraints. Or atleast that's how I understand it...

Are you using this in the $contraints$ variable : (nodename = Authentication.Privileged_Authentication) ?

Your search should look like this :

... datamodel=Authentication where (nodename = Authentication.Privileged_Authentication) ...

Yeah we tried this

| tstats summariesonly values(Authentication.action) as action,values(Authentication.app) as app,values(Authentication.src) as src,values(Authentication.dest) as dest,values(Authentication.user) as user,values(Authentication.tag) as tag,count from datamodel=Authentication where (nodename = Authentication.Privileged_Authentication $constraints$ by _time span=$span$)

It "Works" as in when you search for it via search it will return results, but it still wont return any swimlane results...

Does swimlane have to be tstats?

ES, I'm just making a swimlane search. https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Createswimlanesearches