Solved: How to get event _time from CIM data model?

phil_wong · ‎01-11-2021

I checked CIM data models have inherited _time but I couldn't retrieve.

Anyone can tell what's wrong?

| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where All_Traffic.action=allowed by All_Traffic.src All_Traffic.dest All_Traffic._time

General_Talos · ‎01-12-2021

Thanks @scelikok

@phil_wong

Please note "_time,source, sourcetype and host" fields in datamodel are default fields and doesn't require node_name in field-name

To get list of field name available in datamodel use

| datamodel <datamodel_name> search

View solution in original post

scelikok · ‎01-11-2021

Hi @phil_wong,

Metadata field are accessible without node name. You should use _time like below;

| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where All_Traffic.action=allowed by All_Traffic.src All_Traffic.dest _time

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

General_Talos · ‎01-12-2021

Thanks @scelikok

@phil_wong

Please note "_time,source, sourcetype and host" fields in datamodel are default fields and doesn't require node_name in field-name

To get list of field name available in datamodel use

| datamodel <datamodel_name> search

phil_wong · ‎01-12-2021

Just happend _time is not in the field list. So I was lost my mind.

Thanks for the suggestion!

How to get event _time from CIM data model?

tstats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!