Splunk Search

Pivot command works on tree datamodel but tstats shows "No results found"

shreyans
Path Finder

Hi,

I have a customer scenario where I receive complete machine events from parent component to deepest child component.
For example first entire computer data arrives and later sub component of computer events and then sub-sub component and so on

To address this I have created data model tree
so first grand parent has query in datamodel as index=myindex
later next level parent has child query in datamodel as componentType=cmpType
later next level child has query in datamodel as componentType=subCmpType
and so on

so if I ideally query datamodel for grandparent, I should see all component and sub component data including n level in the tree

and that is what I see when I use PIVOT command as below

| pivot grandparentDatamodel parentdatamodel latest(_time) AS "latest_time" SPLITROW parentdatamodelattribute.attribute as attributeName SPLITROW parentdatamodelattribute.attribute2 as attributeName2 SORT 100 parentdatamodelattribute.attribute ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1 | fields - latest_time

but when I use below tstats command to access any child of parentdatamodel or child datamodel like below, I get "No results found"

| tstats prestats=t latest(parentdatamodelattribute.attribute ) AS attributeName from datamodel=grandparentDatamodel | table grandparentDatamodel..parentdatamodel.parentdatamodelattribute.attribute2

am I making any mistake here?

Can someone suggest correct way to access 3rd level child's attributes in a datamodel
or if query look correct am I making any mistake in some datamodel permission or any other inputs or pointers to check please

Best Regards
- Shreyans Soni

Tags (3)
0 Karma
1 Solution

shreyans
Path Finder

this worked when i remove prestats=t from tstats and i used nodename in where condition to select particular node within tree datamodel

View solution in original post

shreyans
Path Finder

this worked when i remove prestats=t from tstats and i used nodename in where condition to select particular node within tree datamodel

ksternberg_splu
Splunk Employee
Splunk Employee

Do you mean to have the double-dot there in yout tstats command?

0 Karma

shreyans
Path Finder

Thanks ksternberg for taking time in responding,

this worked when i remove prestats=t from tstats and i used nodename in where condition to select particular node within tree datamodel

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...