Splunk Enterprise Security

Unable to use tstats against child dataset in a datamodel

harishbenne2
Explorer

Hi guys,

I am unable to run tstats command against the sub-dataset in a datamodel. Whenever I try to, it throws below error:

Error in 'DataModelCache': Invalid or unaccelerable root object for datamodel

I am not even using the summariesonly in my query for the Datamodels to be accelerated. (Its accelerated though..!!).

| from datamodel:Intrusion_Detection.Network_IDS_Attacks | stats count

Above query gives me right answer, however when I use tstats like in below query, it all goes haywire.

| tstats count from datamodel=Intrusion_Detection.Network_IDS_Attacks

Could someone point out to me what is it I'm doing wrong?

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Use nodename. This option is buried in the tstats docs.

| tstats count from datamodel=Intrusion_Detection where nodename=Intrusion_Detection.Network_IDS_Attacks
---
If this reply helps you, an upvote would be appreciated.

kprior201_lilly
Explorer

So, I've noticed that this does not work for the Endpoint datamodel. For Endpoint, it has to be datamodel=Endpoint. without a nodename. It seems to be the only datamodel that this is occurring for at this time. Is this an issue that you've come across?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, I've seen that, too.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

harishbenne2
Explorer

But I see it on all the datamodels when I try to work with the child datasets. the nodename works to an extent, but not completely.

I do not know why it doesn't work anymore.

0 Karma

kprior201_lilly
Explorer

I have a support ticket open about this, and below is the latest update. Basically, there is a discrepancy between the way tstats works with the different combinations of events/search definitions in data models. Splunk has a JIRA ticket open to address this discrepancy, but no resolution is defined as of yet.

"As we discuss with my colleague as well the tstats searches against accelerated DMs relying on a Root Search Dataset, but part of a Mixed Model (which means that it contains at least also one Root Event Dataset will always fail regardless if the constraint search is or is NOT a streaming search, as this is currently not supported.
Basically this is what happens on our case and the SPL ticket states.

Here is the SPL ticket in case you want to verify SPL-167885.

As we saw other option to add using in the search are using the "| datamodel" or the "| from" command.
https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Datamodel
https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/From "

0 Karma