Splunk Enterprise

tstats and child dataset

secuc2r83
Path Finder

Hello splunk comunity,

I think i'm missing something between datamodel and child dataset
My goal: In my proxy logs, i add 2 tags (risky/clean) for some destination. I need to print percent of risky/clean trafic for each hour

My accelerated datamodel DM1 hierarchy (Summary for 3 month):

DM1:
     - DS1      (root event:    sourcetype=proxy)
        - DS11  (child:         tag=risky )
        - DS12  (child:     tag=clean eventtype="out_*)

If i check EVENTS for child "DS12" for 2hours (2PM - 4PM)

| datamodel DM1 DS12 search
        125000 events 
        field "action"= 8 values
        herited field "DS1.application" = 7 values

If i check STATS for child "DS12" for 2hours (2PM - 4PM)

Events for each hour:

| tstats count from datamodel=DM1 where (nodename = DS1.DS12) groupby _time span=1h
            *No results*

Count by application for each hour:

| tstats count(DS1.application) from datamodel=DM1 where (nodename = DS1.DS12) groupby _time span=1h
            *No results*

If i check STATS from .TSIDX (accelerated datamodel) for 2hours (2PM - 4PM):
Ok for root object DS1:

 | tstats summariesonly=true count, values(DS1.application) AS "Appli" from datamodel=DM1 where (nodename=DS1) groupby _time span=1h
                    _time           count       Appli
                    2PM             57000       xxx
                    3PM             4309        yyy
                    4PM             44537       zzz

But nothing for child object DS12:

| tstats summariesonly=t count, values(DS1.application) AS "Appli" from datamodel=DM1 where (nodename = DS1.DS12) groupby _time span=1h
                            *No results*

Then: I have events on my child DS12
I could do stats on root event in my 2 .tsidx (datamodel and Accelerated datamodel) but impossible for child events on same .tsidx

Thanks in advance.
(For info: tag and eventtype are multivalue fields containing more than 1 entry: tag = test1, risky / eventtype = out_if1, Compliance)

Tags (1)
0 Karma

secuc2r83
Path Finder

Hi DalJeanis and thanks for your help

(Time range for the tests = 24h / Summary range=3 months / Status in datamodel settings = 100% completed)

No problem with datamodel (DM1) or root object (DS1)

  | tstats count from datamodel=DM1 
        count
        1245876

  | tstats count from datamodel=DM1 by _time span=1h
        _time           count
        2PM             123
        3PM             345

  | tstats count from datamodel=DM1.DS1 
        count
        6789900

  | tstats count from datamodel=DM1.DS1  by _time span=1h
        _time           count
        2PM             345
        3PM             567

But impossible for child event (DS11 or DS12)

  | tstats count from datamodel=DM1.DS1.DS11 
        Error in TsidxStats: Invalid or unaccelerate root object for datamodel 

   | tstats count from datamodel=DM1.DS1.DS11  by _time span=1h
        Error in TsidxStats: Invalid or unaccelerate root object for datamodel 

But i can check child content (via datamodel) and tstats something via nodename (i don't know what represents the stats):

  | datamodel DM1 DS11 search
        125998 events with fields herited (DS1.action, DS1.dest....)

 | tsats count from datamodel=DM1.DS1 where nodename=DS1.DS11
        count
        1345

When i try for a time range (2PM - 6PM)

  | tsats count from datamodel=DM1.DS1 where nodename=DS1.DS11 by _time span=1h
        _time           count
        4PM             887

=> Nothing for other hour (2PM, 3PM)

=> In the last example: if i change time range for 7days, same result! (same number of events for 24h than 7days!!!)
Strange!

0 Karma

DalJeanis
Legend

Okay, I'd be trying to figure out where you are losing it. Does each of these return any results?

 | tstats count from datamodel=DM1 

 | tstats count from datamodel=DM1 by _time span=1h

 | tstats count from datamodel=DM1.DS1 

 | tstats count from datamodel=DM1.DS1  by _time span=1h

 | tstats count from datamodel=DM1.DS1.DS11 

 | tstats count from datamodel=DM1.DS1.DS11  by _time span=1h
0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...