I checked CIM data models have inherited _time but I couldn't retrieve.
Anyone can tell what's wrong?
| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where All_Traffic.action=allowed by All_Traffic.src All_Traffic.dest All_Traffic._time
Thanks @scelikok
Please note "_time,source, sourcetype and host" fields in datamodel are default fields and doesn't require node_name in field-name
To get list of field name available in datamodel use
| datamodel <datamodel_name> search
Hi @phil_wong,
Metadata field are accessible without node name. You should use _time like below;
| tstats summariesonly=true allow_old_summaries=true count from datamodel=Network_Traffic.All_Traffic where All_Traffic.action=allowed by All_Traffic.src All_Traffic.dest _time
If this reply helps you an upvote is appreciated.
Thanks @scelikok
Please note "_time,source, sourcetype and host" fields in datamodel are default fields and doesn't require node_name in field-name
To get list of field name available in datamodel use
| datamodel <datamodel_name> search
Just happend _time is not in the field list. So I was lost my mind.
Thanks for the suggestion!