Solved: Re: Issue with generating a table from accelerated...

wolanm1 · ‎03-28-2020

Hello,

1st off I hope everyone out there is staying safe an healthy. As a result of wahats going on I am being asked to do some stuff with Splunk that I am not too familiar with. I am a n00b when it comes to data models but i have successfully built a couple now and they are working (mostly) but I am having fairly specific problem when trying to search one of them. I have been searching and banging my head against the wall for a couple of days and I am hoping someone can help. So here's the deal...

If I run this search it works and genrates a table with the requested fields:
| datamodel Data_Mode_Name summariesonly=true search
| search src_ip=*
| table src_ip, src_port, src_zone, dest_ip, dest_port, dest_zone, action, acl, index

If I include a default_field like sourcetype or source or an internal_field like _time the search runs but the table come back blank. Here's an example of one that fails:

| datamodel Data_Mode_Name summariesonly=true search
| search src_ip=*
| table _time, src_ip, src_port, src_zone, dest_ip, dest_port, dest_zone, action, acl, index

I'm running Splunk Enterprise v7.14

I'm really hoping this is something simple that I am just missing. Any help would be greatly appreciated!

Cheers,

-Mark W.

PavelP · ‎03-28-2020

you have to prepend fields with dataset name:

| datamodel Network_Traffic All_Traffic summariesonly=true search
| search All_Traffic.src_ip=*
| table _time, All_Traffic.src_ip, All_Traffic.src_port, All_Traffic.src_zone, All_Traffic.dest_ip, All_Traffic.dest_port, All_Traffic.dest_zone, All_Traffic.action, index

acl is not included in the Network_Traffic CIM so you have to extend CIM or use other available field to store acl information.

View solution in original post

PavelP · ‎03-28-2020

you have to prepend fields with dataset name:

| datamodel Network_Traffic All_Traffic summariesonly=true search
| search All_Traffic.src_ip=*
| table _time, All_Traffic.src_ip, All_Traffic.src_port, All_Traffic.src_zone, All_Traffic.dest_ip, All_Traffic.dest_port, All_Traffic.dest_zone, All_Traffic.action, index

acl is not included in the Network_Traffic CIM so you have to extend CIM or use other available field to store acl information.

wolanm1 · ‎03-29-2020

That worked... I was missing something fundamental at the beginning of the search as well... but your example helped me get it figured out! I was specifying the datamodel at the beginning of the search without a dataset name.... so the first few times I tried it it still wasn't working because I was prepending the fields with the datamodel name instead of the dataset name. Thank you very much for your help!

wolanm1 · ‎03-28-2020

Forgot to mention above that this an accelerated data model. Thank you...

to4kawa · ‎03-28-2020

summariesonly
- Syntax: summariesonly=
- Description: This argument applies only to accelerated data models. When set to false, the datamodel search returns both summarized and unsummarized data for the selected data model. When set to true, the search returns results only from the data that has been summarized in TSIDX format for the selected data model. You can use this argument to identify what data is currently summarized for a given data model, or to ensure that a particular data model search runs efficiently. Default: false

There may be the problem your option summariesonly=t
check your data model.

wolanm1 · ‎03-28-2020

Thank you, I guess I missed saying it in my original post but this is an accelerated data model. The search works fine summariesonly=true if I leave _time out of the table.

to4kawa · ‎03-28-2020

Do you try summariesonly=f?

Issue with generating a table from accelerated data model with default fields and internal fields,

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!