I'm running a search that is something like this:
| tstats values from datamodel=foo
When the datamodel is not accelerated, I get all my data.
When it is accelerated, no data is returned.
If i specify the fields with values(foo)
, values(bar)
and so on, it works just fine.
Does anyone know if wildcards or returning all values at once isn't supposed to work if the datamodel is accelerated?
Any way to get around this?
Thanks!
Forgot to close this one.
Splunk support said this isn't supported and won't be supported in the near future if anyone wonders.
Forgot to close this one.
Splunk support said this isn't supported and won't be supported in the near future if anyone wonders.
Hi Goophy,
take this run everywhere command which just runs fine on the internal_server
data model, which is accelerated in my case:
| tstats values from datamodel=internal_server
the result is this:
and as you can see it is accelerated:
So, to answer to answer your question: Yes, it is possible to use values
on accelerated data models to return all values.
Maybe you hit some limit (haven't found anything on a quick search) and try to return too much values at once?
cheers, MuS
Thank you very much for the answer.
The acceleration puts things in TSIDX in 5-minute increments, so the last 15 minutes will always return something.
Can you try to search for yesterday or something?
Sure, running this | tstats values from datamodel=internal_server where earliest=-1d@d latest=-0d@d
returns this for me (Sorry for the ugly paste):
values(bytes) values(count) values(date_hour) values(date_mday) values(date_minute) values(date_month) values(date_second) values(date_wday) values(date_year) values(date_zone) values(digest) values(eventtype) values(file) values(host) values(ident) values(index) values(linecount) values(nodename) values(other) values(punct) values(req_time) values(root) values(search) values(server.acceleration.is_dm_acceleration) values(server.acceleration.is_not_dm_acceleration) values(server.acceleration.is_not_report_acceleration) values(server.acceleration.is_report_acceleration) values(server.clientip) values(server.is_acceleration) values(server.is_licenser) values(server.is_metrics) values(server.is_not_acceleration) values(server.is_not_licenser) values(server.is_not_metrics) values(server.is_not_scheduler) values(server.is_not_splunkdaccess) values(server.is_scheduler) values(server.is_splunkdaccess) values(server.licenser.is_daily_usage) values(server.licenser.is_not_daily_usage) values(server.licenser.is_not_pool_warnings) values(server.licenser.is_not_quota) values(server.licenser.is_not_slave_warn_summary) values(server.licenser.is_pool_warnings) values(server.licenser.is_quota) values(server.licenser.is_slave_warn_summary) values(server.method) values(server.metrics.is_Thruput) values(server.metrics.is_not_Thruput) values(server.metrics.is_not_pipeline) values(server.metrics.is_not_queue) values(server.metrics.is_not_systemwide_search_load_) values(server.metrics.is_not_user_search_load) values(server.metrics.is_pipeline) values(server.metrics.is_queue) values(server.metrics.is_systemwide_search_load_) values(server.metrics.is_user_search_load) values(server.scheduler.is_alerts) values(server.scheduler.is_not_alerts) values(server.scheduler.is_not_scheduled_reports) values(server.scheduler.is_not_summaryindexing) values(server.scheduler.is_scheduled_reports) values(server.scheduler.is_summaryindexing) values(server.spent) values(server.splunkdaccess.is_job_endpoint) values(server.splunkdaccess.is_not_job_endpoint) values(server.status) values(server.uri_path) values(server.uri_query) values(server.user) values(source) values(sourcetype) values(splunk_server) values(splunk_server_group) values(timeendpos) values(timestartpos) values(uri) values(version) values(with_new)
130333 131320 17548 3729 4367 60970 7123 77973 -1 500 15 30 56 october 28 29 friday 2015 780 1 splunkd-access admin default local searches tz user-prefs views indexer - _internal 1 server server.splunkdaccess - - - 11ms - - - 17ms - - - 1ms - - - 3ms - - - 6ms - - - 8ms - - - 9ms ..._-__[//:::._+]_"_///-_/."___-_-_-_ ..._-__[//:::._+]_"_///////_/."___-_-_-_ ..._-__[//:::._+]_"_//////?=&=-_/."___-_-_-_ ..._-__[//:::._+]_"_//////?=-_/."___-_-_-_ ..._-__[//:::._+]_"_/////?=&=%%%%&=_/."___-_-_-_ ..._-__[//:::._+]_"_////_/."___-_-_-_ ..._-__[//:::._+]_"_///?=%&=%&=-_/."___-_-_-_ 30/Oct/2015:15:56:28.979 +1300 30/Oct/2015:15:56:28.985 +1300 30/Oct/2015:15:56:28.998 +1300 30/Oct/2015:15:56:29.022 +1300 30/Oct/2015:15:56:29.043 +1300 30/Oct/2015:15:56:29.062 +1300 30/Oct/2015:15:56:29.080 +1300 30/Oct/2015:15:56:29.101 +1300 30/Oct/2015:15:56:29.121 +1300 30/Oct/2015:15:56:29.150 +1300 30/Oct/2015:15:56:29.208 +1300 services servicesNS disabled%3Dfalse is_visible%3D1%20AND%20disabled%3D0 0 1 1 0 127.0.0.1 0 0 0 1 1 1 1 0 0 1 0 1 1 1 1 0 0 0 GET 0 1 1 1 1 1 0 0 0 0 0 1 1 1 0 0 1 11 17 3 6 8 9 0 1 200 /services/apps/local /services/authentication/users/admin /services/data/user-prefs /services/search/timeparser/tz /servicesNS/admin/launcher/data/ui/nav/default /servicesNS/admin/launcher/data/ui/views /servicesNS/admin/launcher/saved/searches _with_new=1&search=is_visible%3D1%20AND%20disabled%3D0&count=500 count=-1 digest=1&count=-1 search=disabled%3Dfalse&search=visible%3Dtrue&count=-1 admin /opt/splunk/var/log/splunk/splunkd_access.log splunkd_access michael-VirtualBox dmc_group_deployment_server dmc_group_indexer dmc_group_kv_store dmc_group_license_master dmc_group_search_head 49 19 /services/apps/local?search=disabled%3Dfalse&search=visible%3Dtrue&count=-1 /services/authentication/users/admin /services/data/user-prefs /services/search/timeparser/tz /servicesNS/admin/launcher/data/ui/nav/default /servicesNS/admin/launcher/data/ui/views?count=-1 /servicesNS/admin/launcher/data/ui/views?digest=1&count=-1 /servicesNS/admin/launcher/saved/searches?_with_new=1&search=is_visible%3D1%20AND%20disabled%3D0&count=500 HTTP/1.0 1
Awesome, thanks!
Then I know it's just something I'm doing.
Getting no results doing exactly the same as you on both fresh 6.2.0 and 6.3.0 installs.
If this was useful and answered your question, please accept the answer - thx.
I don't want to tag it as answered yet as I still can't reproduce your results unfortunately.
Which version of Splunk do you use?
Splunk 6.3
That is so weird.
I've ran the exact same search on fresh 6.3-installs on three different Debian and RHEL-servers.
No results. A simple count shows that there is data though.
Have you tried some different browsers too?
Just tried Chrome, IE and Firefox.
No difference.
Have a look at the job inspector and see what is reported there; running | tstats values from datamodel=internal_server
over today
returns for me this at top of the job inspector:
This search has completed and has returned 1 result by scanning 213,774 events in 0.377 seconds.
"today" will always contain the last 5 minutes of data which is not accelerated, and that returns something.
If I run yesterday I get the standard:
This search has completed and found 371,510 matching events. However, the transforming commands in the highlighted portion of the following search:
| tstats values from datamodel=internal_server
over the time range:
02/11/2015 00:00:00.000 – 03/11/2015 00:00:00.000
generated no results. Possible solutions are to:
So there is data, but it seems like the accelerated DM just doesn't want to show fields not explicitly mentioned.