Splunk Search

Data can not be inherited ?

OnePiece
Loves-to-Learn Lots

Hello everyone, I am a newbie in this field, I am looking forward to your help.

I am using Eventgen to create data samples for Splunk Enterprise. 

I have a datamodel "Test", a dataset "datasetA" in that datamodel, "datasetB" inherited from "datasetA" and "datasetC" inherited from "datasetB".

All the data samples are satisfy with the base search and constraints of all datasets. It means all data samples are the sample in 3 datasets above.

The problem is there are values of datasetA.fieldname, but not for datasetB.fieldname even datasetB is inherited from datasetA.

Is there anyone have the same problem?

More information: Sorry because i do not capture it 😞 
example: |tstats values(datasetA.action) from datamodel=Test ->result: 3 actions
|stats values(datasetA.datasetB.action) from datamodel=Test ->result: no result found

The data samples in datasetA and datasetB is the same

Thank you for reading ❤️ 

Labels (1)
Tags (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

The field is available at the level at which it was defined. So if you have - for example - the Network_Traffic datamodel, all fields are defined at the root level - the All_Traffic node. So the proper search would be

| tstats count from datamodel=Network_Traffic.All_Traffic
where nodename=All_Traffic.Traffic_By_Action.Allowed_Traffic
by All_Traffic.src_ip

But as the Performance datamodel has some fields defined at "lower" levels, you can do - for example -

| tstats count from datamodel=Performance.All_Performance
where nodename=All_Performance.OS.Timesync
by All_Performance.OS.Timesync.action

 

0 Karma

OnePiece
Loves-to-Learn Lots

Thank you for your supporting,

Hmm, I ensure that all the samples in DatasetA is as the same as DatasetB. Therefore, i do not understand why:
+DatasetA.action has values
+DatasetA.DatasetB.action does not have values

Not only for field "action", all the field after ".DatasetB" do not have values. Eventhough DatasetB is inherited from DatasetA ?
May be something wrong in setting datamodel?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please provide more specific examples of the events you are dealing with.

0 Karma

OnePiece
Loves-to-Learn Lots

Thank you for your supporting, i have updated the information, sorry because i did not capture it 😞 

0 Karma
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...