Re: Fields are not showing up in "tstats"

bhsakarchourasi · ‎11-24-2020

Hi All,

There is a strange issue that I am facing regarding tstats.

When I run the query using |from datamodle: it gives the proper result and all expected fields are reflecting in result.

But when I run same query with |tstats summariesonly=true it doesn't give any result.

Any idea what to check and how I can resolve this issue.

Thanks,

Bhaskar

richgalloway · ‎11-24-2020

Is the datamodel accelerated? If it is not then tstats summariesonly=true will find nothing because it only looks at DM summarizations (the result of acceleration). The from command does not require acceleration so that's why it finds results.

---
If this reply helps you, Karma would be appreciated.

bhsakarchourasi · ‎11-24-2020

Hi,

Thanks for your reply,

Yes, DM is accelerated and to confirm that I have some other queries which is running for this DM with tstats.

Thanks,

Bhaskar

richgalloway · ‎11-24-2020

Perhaps the tstats search is trying to use fields that are not in the DMA summary or the fields are null so stats can't be computed.

---
If this reply helps you, Karma would be appreciated.

bhsakarchourasi · ‎11-24-2020

Hi,

Thanks for your reply.

This make sense to me but weird part of my issue is most of the values of one field is there in tstats result not the one which I am using.

For more clarity.

field name is activityType value "22" is present in tstats but value "117" is not there.

Thanks,

Bhaskar

bhsakarchourasi · ‎11-25-2020

Hi Guys,

Please help, now the required events are not coming data model at all, where I can see all the events are tagged properly, relevant fields are mapped to data model.

Is there something that I am missing currently.

Thanks,

Bhaskar

Fields are not showing up in "tstats"

administration

configuration

troubleshooting

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms