Splunk Enterprise

tstats and child dataset

secuc2r83
Path Finder

Hello splunk comunity,

I think i'm missing something between datamodel and child dataset
My goal: In my proxy logs, i add 2 tags (risky/clean) for some destination. I need to print percent of risky/clean trafic for each hour

My accelerated datamodel DM1 hierarchy (Summary for 3 month):

DM1:
     - DS1      (root event:    sourcetype=proxy)
        - DS11  (child:         tag=risky )
        - DS12  (child:     tag=clean eventtype="out_*)

If i check EVENTS for child "DS12" for 2hours (2PM - 4PM)

| datamodel DM1 DS12 search
        125000 events 
        field "action"= 8 values
        herited field "DS1.application" = 7 values

If i check STATS for child "DS12" for 2hours (2PM - 4PM)

Events for each hour:

| tstats count from datamodel=DM1 where (nodename = DS1.DS12) groupby _time span=1h
            *No results*

Count by application for each hour:

| tstats count(DS1.application) from datamodel=DM1 where (nodename = DS1.DS12) groupby _time span=1h
            *No results*

If i check STATS from .TSIDX (accelerated datamodel) for 2hours (2PM - 4PM):
Ok for root object DS1:

 | tstats summariesonly=true count, values(DS1.application) AS "Appli" from datamodel=DM1 where (nodename=DS1) groupby _time span=1h
                    _time           count       Appli
                    2PM             57000       xxx
                    3PM             4309        yyy
                    4PM             44537       zzz

But nothing for child object DS12:

| tstats summariesonly=t count, values(DS1.application) AS "Appli" from datamodel=DM1 where (nodename = DS1.DS12) groupby _time span=1h
                            *No results*

Then: I have events on my child DS12
I could do stats on root event in my 2 .tsidx (datamodel and Accelerated datamodel) but impossible for child events on same .tsidx

Thanks in advance.
(For info: tag and eventtype are multivalue fields containing more than 1 entry: tag = test1, risky / eventtype = out_if1, Compliance)

Tags (1)
0 Karma

secuc2r83
Path Finder

Hi DalJeanis and thanks for your help

(Time range for the tests = 24h / Summary range=3 months / Status in datamodel settings = 100% completed)

No problem with datamodel (DM1) or root object (DS1)

  | tstats count from datamodel=DM1 
        count
        1245876

  | tstats count from datamodel=DM1 by _time span=1h
        _time           count
        2PM             123
        3PM             345

  | tstats count from datamodel=DM1.DS1 
        count
        6789900

  | tstats count from datamodel=DM1.DS1  by _time span=1h
        _time           count
        2PM             345
        3PM             567

But impossible for child event (DS11 or DS12)

  | tstats count from datamodel=DM1.DS1.DS11 
        Error in TsidxStats: Invalid or unaccelerate root object for datamodel 

   | tstats count from datamodel=DM1.DS1.DS11  by _time span=1h
        Error in TsidxStats: Invalid or unaccelerate root object for datamodel 

But i can check child content (via datamodel) and tstats something via nodename (i don't know what represents the stats):

  | datamodel DM1 DS11 search
        125998 events with fields herited (DS1.action, DS1.dest....)

 | tsats count from datamodel=DM1.DS1 where nodename=DS1.DS11
        count
        1345

When i try for a time range (2PM - 6PM)

  | tsats count from datamodel=DM1.DS1 where nodename=DS1.DS11 by _time span=1h
        _time           count
        4PM             887

=> Nothing for other hour (2PM, 3PM)

=> In the last example: if i change time range for 7days, same result! (same number of events for 24h than 7days!!!)
Strange!

0 Karma

DalJeanis
Legend

Okay, I'd be trying to figure out where you are losing it. Does each of these return any results?

 | tstats count from datamodel=DM1 

 | tstats count from datamodel=DM1 by _time span=1h

 | tstats count from datamodel=DM1.DS1 

 | tstats count from datamodel=DM1.DS1  by _time span=1h

 | tstats count from datamodel=DM1.DS1.DS11 

 | tstats count from datamodel=DM1.DS1.DS11  by _time span=1h
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...