Splunk Search

Data can not be inherited ?

OnePiece
Loves-to-Learn Lots

Hello everyone, I am a newbie in this field, I am looking forward to your help.

I am using Eventgen to create data samples for Splunk Enterprise. 

I have a datamodel "Test", a dataset "datasetA" in that datamodel, "datasetB" inherited from "datasetA" and "datasetC" inherited from "datasetB".

All the data samples are satisfy with the base search and constraints of all datasets. It means all data samples are the sample in 3 datasets above.

The problem is there are values of datasetA.fieldname, but not for datasetB.fieldname even datasetB is inherited from datasetA.

Is there anyone have the same problem?

More information: Sorry because i do not capture it 😞 
example: |tstats values(datasetA.action) from datamodel=Test ->result: 3 actions
|stats values(datasetA.datasetB.action) from datamodel=Test ->result: no result found

The data samples in datasetA and datasetB is the same

Thank you for reading ❤️ 

Labels (1)
Tags (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

The field is available at the level at which it was defined. So if you have - for example - the Network_Traffic datamodel, all fields are defined at the root level - the All_Traffic node. So the proper search would be

| tstats count from datamodel=Network_Traffic.All_Traffic
where nodename=All_Traffic.Traffic_By_Action.Allowed_Traffic
by All_Traffic.src_ip

But as the Performance datamodel has some fields defined at "lower" levels, you can do - for example -

| tstats count from datamodel=Performance.All_Performance
where nodename=All_Performance.OS.Timesync
by All_Performance.OS.Timesync.action

 

0 Karma

OnePiece
Loves-to-Learn Lots

Thank you for your supporting,

Hmm, I ensure that all the samples in DatasetA is as the same as DatasetB. Therefore, i do not understand why:
+DatasetA.action has values
+DatasetA.DatasetB.action does not have values

Not only for field "action", all the field after ".DatasetB" do not have values. Eventhough DatasetB is inherited from DatasetA ?
May be something wrong in setting datamodel?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please provide more specific examples of the events you are dealing with.

0 Karma

OnePiece
Loves-to-Learn Lots

Thank you for your supporting, i have updated the information, sorry because i did not capture it 😞 

0 Karma
Get Updates on the Splunk Community!

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...