Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Fields are not showing up in "tstats"

bhsakarchourasi
Path Finder
‎11-24-2020 06:24 AM

Hi All,

There is a strange issue that I am facing regarding tstats.

When I run the query using |from datamodle: it gives the proper result and all expected fields are reflecting in result.

But when I run same query with |tstats summariesonly=true it doesn't give any result.

Any idea what to check and how I can resolve this issue.

 

Thanks,

Bhaskar 

Labels (3)
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2020 06:56 AM

Is the datamodel accelerated?  If it is not then tstats summariesonly=true will find nothing because it only looks at DM summarizations (the result of acceleration).  The from command does not require acceleration so that's why it finds results.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bhsakarchourasi
Path Finder
‎11-24-2020 07:32 AM

Hi,

Thanks for your reply,

Yes, DM is accelerated and to confirm that I have some other queries which is running for this DM with tstats.

 

Thanks,

Bhaskar

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2020 09:41 AM

Perhaps the tstats search is trying to use fields that are not in the DMA summary or the fields are null so stats can't be computed.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bhsakarchourasi
Path Finder
‎11-24-2020 09:26 PM

Hi,

Thanks for your reply.

This make sense to me but weird part of my issue is most of the values of one field is there in tstats result not the one which I am using.

For more clarity.

field name is activityType value "22" is present in tstats but value "117" is not there.

 

Thanks,

Bhaskar  

0 Karma
Reply

bhsakarchourasi
Path Finder
‎11-25-2020 09:50 PM

Hi Guys,

Please help, now the required events are not coming data model at all, where I can see all the events are tagged properly, relevant fields are mapped to data model.

Is there something that I am missing currently.

Thanks,

Bhaskar 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...