Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I use tstats to extract data from a child d...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm trying to use the tstats command within a data model on a data set that has children and grandchildren. Ideally I'd like to be able to use tstats on both the children and grandchildren (in separate searches), but for this post I'd like to focus on the children. Let's say my structure is the following:
data_model
--parent_ds
----child_ds
And let's say we have _time, id, dimension, status, and error as fields. Assuming that parent_ds has no filter on the dimension field, child_ds will have an additional constraint for a specific value of dimension.
I am able to use the tstats command to extract the values from parent_ds with the following search:
| tstats latest(_time) as _time values(parent_ds.status) as status values(parent_ds.error) as error FROM datamodel=data_model.parent_ds BY parent_ds.id
Since I would like to run this same search on child_ds I tried the following:
| tstats latest(_time) as _time values(child_ds.status) as status values(child_ds.error) as error FROM datamodel=data_model.child_ds BY child_ds.id
When doing this I get the following error:
Error in 'DataModelCache': Invalid or unaccelerable root object for datamodel
I've also tried nesting by specifying parent_ds.child_ds.<field> but that doesn't work either.
Is it possible to accomplish what I'm trying to do? If so, could somebody point me in the right direction?
Thank you and best regards,
Andrew
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @andrewtrobec ,
please try to add WHERE nodename=root_dataset.parent_dataset.target_dataset
https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Tstats
Let me know if it worked
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @andrewtrobec ,
please try to add WHERE nodename=root_dataset.parent_dataset.target_dataset
https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Tstats
Let me know if it worked
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PavelP Thanks so much! I was reading about that parameter, so thanks for reinforcing. This is the working search:
| tstats latest(_time) as _time values(parent_ds.status) as status values(parent_ds.error) as error FROM datamodel=data_model.parent_ds WHERE nodename=parent_ds.child_ds BY parent_ds.id
It's confusing because you always have to extract and group by the parent field, and only in the nodename specify the child (or grandchild). The example (Example 9) in the tstats documentation makes it seem like you don't have to specify the object from which you are extracting...
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
