Splunk Search

Issue with generating a table from accelerated data model with default fields and internal fields,

Engager

Hello,

1st off I hope everyone out there is staying safe an healthy. As a result of wahats going on I am being asked to do some stuff with Splunk that I am not too familiar with. I am a n00b when it comes to data models but i have successfully built a couple now and they are working (mostly) but I am having fairly specific problem when trying to search one of them. I have been searching and banging my head against the wall for a couple of days and I am hoping someone can help. So here's the deal...

If I run this search it works and genrates a table with the requested fields:
| datamodel DataModeName summariesonly=true search
| search srcip=*
| table src
ip, srcport, srczone, destip, destport, dest_zone, action, acl, index

If I include a defaultfield like sourcetype or source or an internalfield like _time the search runs but the table come back blank. Here's an example of one that fails:

| datamodel DataModeName summariesonly=true search
| search srcip=*
| table _time, src
ip, srcport, srczone, destip, destport, dest_zone, action, acl, index

I'm running Splunk Enterprise v7.14

I'm really hoping this is something simple that I am just missing. Any help would be greatly appreciated!

Cheers,

-Mark W.

0 Karma
1 Solution

Motivator

you have to prepend fields with dataset name:

| datamodel Network_Traffic All_Traffic summariesonly=true search
| search All_Traffic.src_ip=*
| table _time, All_Traffic.src_ip, All_Traffic.src_port, All_Traffic.src_zone, All_Traffic.dest_ip, All_Traffic.dest_port, All_Traffic.dest_zone, All_Traffic.action, index   

acl is not included in the Network_Traffic CIM so you have to extend CIM or use other available field to store acl information.

View solution in original post

Motivator

you have to prepend fields with dataset name:

| datamodel Network_Traffic All_Traffic summariesonly=true search
| search All_Traffic.src_ip=*
| table _time, All_Traffic.src_ip, All_Traffic.src_port, All_Traffic.src_zone, All_Traffic.dest_ip, All_Traffic.dest_port, All_Traffic.dest_zone, All_Traffic.action, index   

acl is not included in the Network_Traffic CIM so you have to extend CIM or use other available field to store acl information.

View solution in original post

Engager

That worked... I was missing something fundamental at the beginning of the search as well... but your example helped me get it figured out! I was specifying the datamodel at the beginning of the search without a dataset name.... so the first few times I tried it it still wasn't working because I was prepending the fields with the datamodel name instead of the dataset name. Thank you very much for your help!

0 Karma

Engager

Forgot to mention above that this an accelerated data model. Thank you...

0 Karma

Ultra Champion
  • summariesonly
    • Syntax: summariesonly=
    • Description: This argument applies only to accelerated data models. When set to false, the datamodel search returns both summarized and unsummarized data for the selected data model. When set to true, the search returns results only from the data that has been summarized in TSIDX format for the selected data model. You can use this argument to identify what data is currently summarized for a given data model, or to ensure that a particular data model search runs efficiently. Default: false

There may be the problem your option summariesonly=t
check your data model.

0 Karma

Engager

Thank you, I guess I missed saying it in my original post but this is an accelerated data model. The search works fine summariesonly=true if I leave _time out of the table.

0 Karma

Ultra Champion

Do you try summariesonly=f?

0 Karma