Splunk Search

Issue with generating a table from accelerated data model with default fields and internal fields,

wolanm1
Explorer

Hello,

1st off I hope everyone out there is staying safe an healthy. As a result of wahats going on I am being asked to do some stuff with Splunk that I am not too familiar with. I am a n00b when it comes to data models but i have successfully built a couple now and they are working (mostly) but I am having fairly specific problem when trying to search one of them. I have been searching and banging my head against the wall for a couple of days and I am hoping someone can help. So here's the deal...

If I run this search it works and genrates a table with the requested fields:
| datamodel Data_Mode_Name summariesonly=true search
| search src_ip=*
| table src_ip, src_port, src_zone, dest_ip, dest_port, dest_zone, action, acl, index

If I include a default_field like sourcetype or source or an internal_field like _time the search runs but the table come back blank. Here's an example of one that fails:

| datamodel Data_Mode_Name summariesonly=true search
| search src_ip=*
| table _time, src_ip, src_port, src_zone, dest_ip, dest_port, dest_zone, action, acl, index

I'm running Splunk Enterprise v7.14

I'm really hoping this is something simple that I am just missing. Any help would be greatly appreciated!

Cheers,

-Mark W.

0 Karma
1 Solution

PavelP
Motivator

you have to prepend fields with dataset name:

| datamodel Network_Traffic All_Traffic summariesonly=true search
| search All_Traffic.src_ip=*
| table _time, All_Traffic.src_ip, All_Traffic.src_port, All_Traffic.src_zone, All_Traffic.dest_ip, All_Traffic.dest_port, All_Traffic.dest_zone, All_Traffic.action, index   

acl is not included in the Network_Traffic CIM so you have to extend CIM or use other available field to store acl information.

View solution in original post

PavelP
Motivator

you have to prepend fields with dataset name:

| datamodel Network_Traffic All_Traffic summariesonly=true search
| search All_Traffic.src_ip=*
| table _time, All_Traffic.src_ip, All_Traffic.src_port, All_Traffic.src_zone, All_Traffic.dest_ip, All_Traffic.dest_port, All_Traffic.dest_zone, All_Traffic.action, index   

acl is not included in the Network_Traffic CIM so you have to extend CIM or use other available field to store acl information.

wolanm1
Explorer

That worked... I was missing something fundamental at the beginning of the search as well... but your example helped me get it figured out! I was specifying the datamodel at the beginning of the search without a dataset name.... so the first few times I tried it it still wasn't working because I was prepending the fields with the datamodel name instead of the dataset name. Thank you very much for your help!

0 Karma

wolanm1
Explorer

Forgot to mention above that this an accelerated data model. Thank you...

0 Karma

to4kawa
Ultra Champion
  • summariesonly
    • Syntax: summariesonly=
    • Description: This argument applies only to accelerated data models. When set to false, the datamodel search returns both summarized and unsummarized data for the selected data model. When set to true, the search returns results only from the data that has been summarized in TSIDX format for the selected data model. You can use this argument to identify what data is currently summarized for a given data model, or to ensure that a particular data model search runs efficiently. Default: false

There may be the problem your option summariesonly=t
check your data model.

0 Karma

wolanm1
Explorer

Thank you, I guess I missed saying it in my original post but this is an accelerated data model. The search works fine summariesonly=true if I leave _time out of the table.

0 Karma

to4kawa
Ultra Champion

Do you try summariesonly=f?

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...