Hello everyone, I am a newbie in this field, I am looking forward to your help.
I am using Eventgen to create data samples for Splunk Enterprise.
I have a datamodel "Test", a dataset "datasetA" in that datamodel, "datasetB" inherited from "datasetA" and "datasetC" inherited from "datasetB".
All the data samples are satisfy with the base search and constraints of all datasets. It means all data samples are the sample in 3 datasets above.
The problem is there are values of datasetA.fieldname, but not for datasetB.fieldname even datasetB is inherited from datasetA.
Is there anyone have the same problem?
More information: Sorry because i do not capture it 😞
example: |tstats values(datasetA.action) from datamodel=Test ->result: 3 actions
|stats values(datasetA.datasetB.action) from datamodel=Test ->result: no result found
The data samples in datasetA and datasetB is the same
Thank you for reading ❤️
The field is available at the level at which it was defined. So if you have - for example - the Network_Traffic datamodel, all fields are defined at the root level - the All_Traffic node. So the proper search would be
| tstats count from datamodel=Network_Traffic.All_Traffic
where nodename=All_Traffic.Traffic_By_Action.Allowed_Traffic
by All_Traffic.src_ip
But as the Performance datamodel has some fields defined at "lower" levels, you can do - for example -
| tstats count from datamodel=Performance.All_Performance
where nodename=All_Performance.OS.Timesync
by All_Performance.OS.Timesync.action
Thank you for your supporting,
Hmm, I ensure that all the samples in DatasetA is as the same as DatasetB. Therefore, i do not understand why:
+DatasetA.action has values
+DatasetA.DatasetB.action does not have values
Not only for field "action", all the field after ".DatasetB" do not have values. Eventhough DatasetB is inherited from DatasetA ?
May be something wrong in setting datamodel?
Please provide more specific examples of the events you are dealing with.
Thank you for your supporting, i have updated the information, sorry because i did not capture it 😞