- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Does tstats use datamodels the same way Pivot ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After reading through the Splunk documentation on pivot a few times, I noticed that it describes how it works with regards to datamodels and data model objects in a way that seems to imply that it's unique. This is what it says,
"How does Pivot work? It uses data models to define the broad category of event data that you're working with, and then uses hierarchically arranged collections of data model objects to further subdivide the original dataset and define the attributes that you want Pivot to return results on. Data models and their objects are designed by the knowledge managers in your organization. They do a lot of hard work for you to enable you to quickly focus on a specific subset of event data."
From what I know, tstats uses datamodels and data model objects in the same way. For example: tstats count(foo) from "datamodelname.objectname" would use datamodels the same way as the Splunk documentation describes how pivot uses them(I believe). I'm just unsure if the usage for both is the same because to me, it seems like the documentation seems to suggest that only pivot uses datamodels this way.
So what I'm asking is: does tstats use datamodels the same way that's described in the pivot usage documentation?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My answer would be yes, with some caveats.
My understanding is any time you create a PIVOT chart/table or write a pivot SPL query by hand, and the datamodel you are using is an accelerated datamodel, the actual search is translated into a tstats query, i.e., pivot is just a wrapper for tstats in the case of accelerated datamodels. You can confirm this by looking at the job inspector for that query/PIVOT chart. You will see that the litsearch is actually a tstats query.
When you create a PIVOT chart/table or write a pivot SPL query by hand, and the datamodel you are using is NOT an accelerated datamodel, than the query is converted into something else, not tstats. This makes sense because tstats only works against tsidx (time-series index) files, which are generated when you accelerate a datamodel. I forget what exactly the unaccelerated query is converted into, but you can find out by creating such a query and looking in the job inspector.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My answer would be yes, with some caveats.
My understanding is any time you create a PIVOT chart/table or write a pivot SPL query by hand, and the datamodel you are using is an accelerated datamodel, the actual search is translated into a tstats query, i.e., pivot is just a wrapper for tstats in the case of accelerated datamodels. You can confirm this by looking at the job inspector for that query/PIVOT chart. You will see that the litsearch is actually a tstats query.
When you create a PIVOT chart/table or write a pivot SPL query by hand, and the datamodel you are using is NOT an accelerated datamodel, than the query is converted into something else, not tstats. This makes sense because tstats only works against tsidx (time-series index) files, which are generated when you accelerate a datamodel. I forget what exactly the unaccelerated query is converted into, but you can find out by creating such a query and looking in the job inspector.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In other case it normalizes to listsearch
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
