Splunk Search

Does tstats use datamodels the same way Pivot does?

Justin1224
Communicator

After reading through the Splunk documentation on pivot a few times, I noticed that it describes how it works with regards to datamodels and data model objects in a way that seems to imply that it's unique. This is what it says,

"How does Pivot work? It uses data models to define the broad category of event data that you're working with, and then uses hierarchically arranged collections of data model objects to further subdivide the original dataset and define the attributes that you want Pivot to return results on. Data models and their objects are designed by the knowledge managers in your organization. They do a lot of hard work for you to enable you to quickly focus on a specific subset of event data."

From what I know, tstats uses datamodels and data model objects in the same way. For example: tstats count(foo) from "datamodelname.objectname" would use datamodels the same way as the Splunk documentation describes how pivot uses them(I believe). I'm just unsure if the usage for both is the same because to me, it seems like the documentation seems to suggest that only pivot uses datamodels this way.

So what I'm asking is: does tstats use datamodels the same way that's described in the pivot usage documentation?

0 Karma
1 Solution

rjthibod
Champion

My answer would be yes, with some caveats.

My understanding is any time you create a PIVOT chart/table or write a pivot SPL query by hand, and the datamodel you are using is an accelerated datamodel, the actual search is translated into a tstats query, i.e., pivot is just a wrapper for tstats in the case of accelerated datamodels. You can confirm this by looking at the job inspector for that query/PIVOT chart. You will see that the litsearch is actually a tstats query.

When you create a PIVOT chart/table or write a pivot SPL query by hand, and the datamodel you are using is NOT an accelerated datamodel, than the query is converted into something else, not tstats. This makes sense because tstats only works against tsidx (time-series index) files, which are generated when you accelerate a datamodel. I forget what exactly the unaccelerated query is converted into, but you can find out by creating such a query and looking in the job inspector.

View solution in original post

rjthibod
Champion

My answer would be yes, with some caveats.

My understanding is any time you create a PIVOT chart/table or write a pivot SPL query by hand, and the datamodel you are using is an accelerated datamodel, the actual search is translated into a tstats query, i.e., pivot is just a wrapper for tstats in the case of accelerated datamodels. You can confirm this by looking at the job inspector for that query/PIVOT chart. You will see that the litsearch is actually a tstats query.

When you create a PIVOT chart/table or write a pivot SPL query by hand, and the datamodel you are using is NOT an accelerated datamodel, than the query is converted into something else, not tstats. This makes sense because tstats only works against tsidx (time-series index) files, which are generated when you accelerate a datamodel. I forget what exactly the unaccelerated query is converted into, but you can find out by creating such a query and looking in the job inspector.

bic
Explorer

In other case it normalizes to listsearch

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...