Hello splunk comunity,

I think i'm missing something between datamodel and child dataset
My goal: In my proxy logs, i add 2 tags (risky/clean) for some destination. I need to print percent of risky/clean trafic for each hour

My accelerated datamodel DM1 hierarchy (Summary for 3 month):

DM1:
     - DS1      (root event:    sourcetype=proxy)
        - DS11  (child:         tag=risky )
        - DS12  (child:     tag=clean eventtype="out_*)

If i check EVENTS for child "DS12" for 2hours (2PM - 4PM)

| datamodel DM1 DS12 search
        125000 events 
        field "action"= 8 values
        herited field "DS1.application" = 7 values

If i check STATS for child "DS12" for 2hours (2PM - 4PM)

Events for each hour:

| tstats count from datamodel=DM1 where (nodename = DS1.DS12) groupby _time span=1h
            *No results*

Count by application for each hour:

| tstats count(DS1.application) from datamodel=DM1 where (nodename = DS1.DS12) groupby _time span=1h
            *No results*

If i check STATS from .TSIDX (accelerated datamodel) for 2hours (2PM - 4PM):
Ok for root object DS1:

 | tstats summariesonly=true count, values(DS1.application) AS "Appli" from datamodel=DM1 where (nodename=DS1) groupby _time span=1h
                    _time           count       Appli
                    2PM             57000       xxx
                    3PM             4309        yyy
                    4PM             44537       zzz

But nothing for child object DS12:

| tstats summariesonly=t count, values(DS1.application) AS "Appli" from datamodel=DM1 where (nodename = DS1.DS12) groupby _time span=1h
                            *No results*

Then: I have events on my child DS12
I could do stats on root event in my 2 .tsidx (datamodel and Accelerated datamodel) but impossible for child events on same .tsidx

Thanks in advance.
(For info: tag and eventtype are multivalue fields containing more than 1 entry: tag = test1, risky / eventtype = out_if1, Compliance)