Hello,
the following search
index=index1 message_type=query
NOT
([|inputlookup lookup1 | fields ip_address |rename ip_address as dns_request_client_ip])
NOT
dns_request_client_ip=127.0.0.1
|stats count by dns_request_client_ip
shows me 23300 matched events and shows me a table in statistics with those results.
but when I try to use tstats (in that case the datamodel Network_Resolution has all the data for index1) it shows me 0 results, even tho when I only search the tstats datamodel with no other things like lookup etc. it gives me 5 million matches but doesn't show me anything in statistics.
also, in job inspector it shows me that the highlighted portion didn't result in any results and the only highlightet part is behind |tstats (in which nothing should be) and it says "NONE |tstats .... " why is this none there? my tstat is as follows:
|tstats count as count from datamodel=Network_Resolution
where
(message_type=query) by dns_request_client_ip
and then I try to combine it with the rest of the search as stated above via |search:
|search
NOT
([|inputlookup lookup1 | fields ip_address |rename ip_address as dns_request_client_ip])
NOT
dns_request_client_ip=127.0.0.1
|stats count by dns_request_client_ip
there must be something logically wrong with my approach, right?
thanks a lot for any help.
The where clause of the tstats commands must use field names present in the datamodel, which must include the DM object name. DNS.message_type, for example. I don't see dns_request_client_ip in the Network_Resolution datamodel, however. Using a non-existing field in the by clause will produce zero results.
ah gosh, that must be it. thanks a lot! I'll try it asap 🙂
tnx rich!