Can eventstats or streamstats be used with acceler...

john_dagostino · ‎10-24-2017

We are looking to convert most if not all of our existing searches and correlation rules to search against accelerated data models. Is there a way to get event/streamstats to work with tstats?

esix_splunk · ‎10-24-2017

Short answer, no : http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/Aboutdatamodels

But you can use event/streamstats against the data model base searches...

john_dagostino · ‎10-25-2017

I'm sorry, I've read over the data model documentation but don't see anything that supports the fact that they do not support eventstats or streamstats, or how to run them against the data model base searches. Can you elaborate?

wryanthomas · ‎10-24-2018

Could you elaborate on what you mean "you can use event/streamstats against the data model base searches..."? By "base searches", are you referring to |datamodel [...] search (which will not leverage acceleration)? Or are you saying you can use event/streamstats in constraint of "root event"?

Can eventstats or streamstats be used with accelerated data model searches?

Splunk and TLS: It doesn't have to be too hard

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Join the Conversation

Can eventstats or streamstats be used with accelerated data model searches?

Splunk and TLS: It doesn't have to be too hard

Faster Insights with AI, Streamlined Cloud-Native Operations, and More New Lantern ...

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance