Splunk Search

Issue with generating a table from accelerated data model with default fields and internal fields,

wolanm1
Explorer

Hello,

1st off I hope everyone out there is staying safe an healthy. As a result of wahats going on I am being asked to do some stuff with Splunk that I am not too familiar with. I am a n00b when it comes to data models but i have successfully built a couple now and they are working (mostly) but I am having fairly specific problem when trying to search one of them. I have been searching and banging my head against the wall for a couple of days and I am hoping someone can help. So here's the deal...

If I run this search it works and genrates a table with the requested fields:
| datamodel Data_Mode_Name summariesonly=true search
| search src_ip=*
| table src_ip, src_port, src_zone, dest_ip, dest_port, dest_zone, action, acl, index

If I include a default_field like sourcetype or source or an internal_field like _time the search runs but the table come back blank. Here's an example of one that fails:

| datamodel Data_Mode_Name summariesonly=true search
| search src_ip=*
| table _time, src_ip, src_port, src_zone, dest_ip, dest_port, dest_zone, action, acl, index

I'm running Splunk Enterprise v7.14

I'm really hoping this is something simple that I am just missing. Any help would be greatly appreciated!

Cheers,

-Mark W.

0 Karma
1 Solution

PavelP
Motivator

you have to prepend fields with dataset name:

| datamodel Network_Traffic All_Traffic summariesonly=true search
| search All_Traffic.src_ip=*
| table _time, All_Traffic.src_ip, All_Traffic.src_port, All_Traffic.src_zone, All_Traffic.dest_ip, All_Traffic.dest_port, All_Traffic.dest_zone, All_Traffic.action, index   

acl is not included in the Network_Traffic CIM so you have to extend CIM or use other available field to store acl information.

View solution in original post

PavelP
Motivator

you have to prepend fields with dataset name:

| datamodel Network_Traffic All_Traffic summariesonly=true search
| search All_Traffic.src_ip=*
| table _time, All_Traffic.src_ip, All_Traffic.src_port, All_Traffic.src_zone, All_Traffic.dest_ip, All_Traffic.dest_port, All_Traffic.dest_zone, All_Traffic.action, index   

acl is not included in the Network_Traffic CIM so you have to extend CIM or use other available field to store acl information.

wolanm1
Explorer

That worked... I was missing something fundamental at the beginning of the search as well... but your example helped me get it figured out! I was specifying the datamodel at the beginning of the search without a dataset name.... so the first few times I tried it it still wasn't working because I was prepending the fields with the datamodel name instead of the dataset name. Thank you very much for your help!

0 Karma

wolanm1
Explorer

Forgot to mention above that this an accelerated data model. Thank you...

0 Karma

to4kawa
Ultra Champion
  • summariesonly
    • Syntax: summariesonly=
    • Description: This argument applies only to accelerated data models. When set to false, the datamodel search returns both summarized and unsummarized data for the selected data model. When set to true, the search returns results only from the data that has been summarized in TSIDX format for the selected data model. You can use this argument to identify what data is currently summarized for a given data model, or to ensure that a particular data model search runs efficiently. Default: false

There may be the problem your option summariesonly=t
check your data model.

0 Karma

wolanm1
Explorer

Thank you, I guess I missed saying it in my original post but this is an accelerated data model. The search works fine summariesonly=true if I leave _time out of the table.

0 Karma

to4kawa
Ultra Champion

Do you try summariesonly=f?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...