After reading through the Splunk documentation on pivot a few times, I noticed that it describes how it works with regards to datamodels and data model objects in a way that seems to imply that it's unique. This is what it says,
"How does Pivot work? It uses data models to define the broad category of event data that you're working with, and then uses hierarchically arranged collections of data model objects to further subdivide the original dataset and define the attributes that you want Pivot to return results on. Data models and their objects are designed by the knowledge managers in your organization. They do a lot of hard work for you to enable you to quickly focus on a specific subset of event data."
From what I know, tstats uses datamodels and data model objects in the same way. For example: tstats count(foo) from "datamodelname.objectname" would use datamodels the same way as the Splunk documentation describes how pivot uses them(I believe). I'm just unsure if the usage for both is the same because to me, it seems like the documentation seems to suggest that only pivot uses datamodels this way.
So what I'm asking is: does tstats use datamodels the same way that's described in the pivot usage documentation?
My answer would be yes, with some caveats.
My understanding is any time you create a PIVOT chart/table or write a pivot
SPL query by hand, and the datamodel you are using is an accelerated datamodel, the actual search is translated into a tstats
query, i.e., pivot
is just a wrapper for tstats
in the case of accelerated datamodels. You can confirm this by looking at the job inspector for that query/PIVOT chart. You will see that the litsearch is actually a tstats
query.
When you create a PIVOT chart/table or write a pivot
SPL query by hand, and the datamodel you are using is NOT an accelerated datamodel, than the query is converted into something else, not tstats
. This makes sense because tstats
only works against tsidx (time-series index) files, which are generated when you accelerate a datamodel. I forget what exactly the unaccelerated query is converted into, but you can find out by creating such a query and looking in the job inspector.
My answer would be yes, with some caveats.
My understanding is any time you create a PIVOT chart/table or write a pivot
SPL query by hand, and the datamodel you are using is an accelerated datamodel, the actual search is translated into a tstats
query, i.e., pivot
is just a wrapper for tstats
in the case of accelerated datamodels. You can confirm this by looking at the job inspector for that query/PIVOT chart. You will see that the litsearch is actually a tstats
query.
When you create a PIVOT chart/table or write a pivot
SPL query by hand, and the datamodel you are using is NOT an accelerated datamodel, than the query is converted into something else, not tstats
. This makes sense because tstats
only works against tsidx (time-series index) files, which are generated when you accelerate a datamodel. I forget what exactly the unaccelerated query is converted into, but you can find out by creating such a query and looking in the job inspector.
In other case it normalizes to listsearch