Splunk Search
Highlighted

Are wildcards with tstats on accelerated data models not possible?

Explorer

I'm running a search that is something like this:

| tstats values from datamodel=foo

When the datamodel is not accelerated, I get all my data.
When it is accelerated, no data is returned.

If i specify the fields with values(foo), values(bar)and so on, it works just fine.

Does anyone know if wildcards or returning all values at once isn't supposed to work if the datamodel is accelerated?
Any way to get around this?

Thanks!

Highlighted

Re: Are wildcards with tstats on accelerated data models not possible?

SplunkTrust
SplunkTrust

Hi Goophy,

take this run everywhere command which just runs fine on the internal_server data model, which is accelerated in my case:

| tstats values from datamodel=internal_server

the result is this:
alt text

and as you can see it is accelerated:
alt text

So, to answer to answer your question: Yes, it is possible to use values on accelerated data models to return all values.
Maybe you hit some limit (haven't found anything on a quick search) and try to return too much values at once?

cheers, MuS

0 Karma
Highlighted

Re: Are wildcards with tstats on accelerated data models not possible?

Explorer

Thank you very much for the answer.

The acceleration puts things in TSIDX in 5-minute increments, so the last 15 minutes will always return something.

Can you try to search for yesterday or something?

0 Karma
Highlighted

Re: Are wildcards with tstats on accelerated data models not possible?

SplunkTrust
SplunkTrust

Sure, running this | tstats values from datamodel=internal_server where earliest=-1d@d latest=-0d@d returns this for me (Sorry for the ugly paste):

values(bytes)   values(count)   values(date_hour)   values(date_mday)   values(date_minute) values(date_month)  values(date_second) values(date_wday)   values(date_year)   values(date_zone)   values(digest)  values(eventtype)   values(file)    values(host)    values(ident)   values(index)   values(linecount)   values(nodename)    values(other)   values(punct)   values(req_time)    values(root)    values(search)  values(server.acceleration.is_dm_acceleration)  values(server.acceleration.is_not_dm_acceleration)  values(server.acceleration.is_not_report_acceleration)  values(server.acceleration.is_report_acceleration)  values(server.clientip) values(server.is_acceleration)  values(server.is_licenser)  values(server.is_metrics)   values(server.is_not_acceleration)  values(server.is_not_licenser)  values(server.is_not_metrics)   values(server.is_not_scheduler) values(server.is_not_splunkdaccess) values(server.is_scheduler) values(server.is_splunkdaccess) values(server.licenser.is_daily_usage)  values(server.licenser.is_not_daily_usage)  values(server.licenser.is_not_pool_warnings)    values(server.licenser.is_not_quota)    values(server.licenser.is_not_slave_warn_summary)   values(server.licenser.is_pool_warnings)    values(server.licenser.is_quota)    values(server.licenser.is_slave_warn_summary)   values(server.method)   values(server.metrics.is_Thruput)   values(server.metrics.is_not_Thruput)   values(server.metrics.is_not_pipeline)  values(server.metrics.is_not_queue) values(server.metrics.is_not_systemwide_search_load_)   values(server.metrics.is_not_user_search_load)  values(server.metrics.is_pipeline)  values(server.metrics.is_queue) values(server.metrics.is_systemwide_search_load_)   values(server.metrics.is_user_search_load)  values(server.scheduler.is_alerts)  values(server.scheduler.is_not_alerts)  values(server.scheduler.is_not_scheduled_reports)   values(server.scheduler.is_not_summaryindexing) values(server.scheduler.is_scheduled_reports)   values(server.scheduler.is_summaryindexing) values(server.spent)    values(server.splunkdaccess.is_job_endpoint)    values(server.splunkdaccess.is_not_job_endpoint)    values(server.status)   values(server.uri_path) values(server.uri_query)    values(server.user) values(source)  values(sourcetype)  values(splunk_server)   values(splunk_server_group) values(timeendpos)  values(timestartpos)    values(uri) values(version) values(with_new)
130333 131320 17548 3729 4367 60970 7123 77973  -1 500  15  30  56  october 28 29   friday  2015    780 1   splunkd-access  admin default local searches tz user-prefs views    indexer -   _internal   1   server server.splunkdaccess - - - 11ms - - - 17ms - - - 1ms - - - 3ms - - - 6ms - - - 8ms - - - 9ms ..._-__[//:::._+]_"_///-_/."___-_-_-_ ..._-__[//:::._+]_"_///////_/."___-_-_-_ ..._-__[//:::._+]_"_//////?=&=-_/."___-_-_-_ ..._-__[//:::._+]_"_//////?=-_/."___-_-_-_ ..._-__[//:::._+]_"_/////?=&=%%%%&=_/."___-_-_-_ ..._-__[//:::._+]_"_////_/."___-_-_-_ ..._-__[//:::._+]_"_///?=%&=%&=-_/."___-_-_-_ 30/Oct/2015:15:56:28.979 +1300 30/Oct/2015:15:56:28.985 +1300 30/Oct/2015:15:56:28.998 +1300 30/Oct/2015:15:56:29.022 +1300 30/Oct/2015:15:56:29.043 +1300 30/Oct/2015:15:56:29.062 +1300 30/Oct/2015:15:56:29.080 +1300 30/Oct/2015:15:56:29.101 +1300 30/Oct/2015:15:56:29.121 +1300 30/Oct/2015:15:56:29.150 +1300 30/Oct/2015:15:56:29.208 +1300    services servicesNS disabled%3Dfalse is_visible%3D1%20AND%20disabled%3D0    0   1   1   0   127.0.0.1   0   0   0   1   1   1   1   0   0   1   0   1   1   1   1   0   0   0   GET 0   1   1   1   1   1   0   0   0   0   0   1   1   1   0   0   1 11 17 3 6 8 9 0   1   200 /services/apps/local /services/authentication/users/admin /services/data/user-prefs /services/search/timeparser/tz /servicesNS/admin/launcher/data/ui/nav/default /servicesNS/admin/launcher/data/ui/views /servicesNS/admin/launcher/saved/searches    _with_new=1&search=is_visible%3D1%20AND%20disabled%3D0&count=500 count=-1 digest=1&count=-1 search=disabled%3Dfalse&search=visible%3Dtrue&count=-1  admin   /opt/splunk/var/log/splunk/splunkd_access.log   splunkd_access  michael-VirtualBox  dmc_group_deployment_server dmc_group_indexer dmc_group_kv_store dmc_group_license_master dmc_group_search_head 49  19  /services/apps/local?search=disabled%3Dfalse&search=visible%3Dtrue&count=-1 /services/authentication/users/admin /services/data/user-prefs /services/search/timeparser/tz /servicesNS/admin/launcher/data/ui/nav/default /servicesNS/admin/launcher/data/ui/views?count=-1 /servicesNS/admin/launcher/data/ui/views?digest=1&count=-1 /servicesNS/admin/launcher/saved/searches?_with_new=1&search=is_visible%3D1%20AND%20disabled%3D0&count=500    HTTP/1.0    1
0 Karma
Highlighted

Re: Are wildcards with tstats on accelerated data models not possible?

Explorer

Awesome, thanks!

Then I know it's just something I'm doing.
Getting no results doing exactly the same as you on both fresh 6.2.0 and 6.3.0 installs.

0 Karma
Highlighted

Re: Are wildcards with tstats on accelerated data models not possible?

SplunkTrust
SplunkTrust

If this was useful and answered your question, please accept the answer - thx.

0 Karma
Highlighted

Re: Are wildcards with tstats on accelerated data models not possible?

Explorer

I don't want to tag it as answered yet as I still can't reproduce your results unfortunately.
Which version of Splunk do you use?

0 Karma
Highlighted

Re: Are wildcards with tstats on accelerated data models not possible?

SplunkTrust
SplunkTrust

Splunk 6.3

0 Karma
Highlighted

Re: Are wildcards with tstats on accelerated data models not possible?

Explorer

That is so weird.
I've ran the exact same search on fresh 6.3-installs on three different Debian and RHEL-servers.

No results. A simple count shows that there is data though.

0 Karma
Highlighted

Re: Are wildcards with tstats on accelerated data models not possible?

SplunkTrust
SplunkTrust

Have you tried some different browsers too?

0 Karma