Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Searching from a data model using tstats, why am I getting "Error in 'TsidxStats': Invalid root event object for datamodel"?

sushmitha_mj
Communicator
‎07-16-2015 12:16 PM

I created a data model "Aggregate". I added an object which is a root search object named "usage". There is a search that is written for this object which I can view when I go into the data model. I am having trouble searching from this data model.
The search I wrote: 

| tstats max(Usage.field_value) from datamodel="Aggregate"

Where Usage is the root search object and Aggregate is data model name. I get the error 

"Error in 'TsidxStats': Invalid root event object for datamodel "

How should I edit my search? Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎07-16-2015 12:55 PM

Hi sushmitha_mj,

did you create a root event for your data model? Data models are composed chiefly of object hierarchies built on root event objects, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Designdatamodelobjects#Add_a_root_event_...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎07-16-2015 12:55 PM

Hi sushmitha_mj,

did you create a root event for your data model? Data models are composed chiefly of object hierarchies built on root event objects, see the docs for more details http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Designdatamodelobjects#Add_a_root_event_...

cheers, MuS

Reply
Solved! Jump to solution

sushmitha_mj
Communicator
‎07-17-2015 07:52 AM

@MuS
I was able to run the query | tstats values(server.licenser.quota.gb) AS gb from datamodel=internal_server by _time it gave me the Gb info against the time. Thanks

0 Karma
Reply
Solved! Jump to solution

sushmitha_mj
Communicator
‎07-16-2015 01:10 PM

Thank @MuS

I added a root object with a constrain and the query now works. But I get no results and no error. How do I query to access my root search output?

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎07-16-2015 01:26 PM

try this run everywhere search:

| tstats values(server.licenser.quota.gb) AS gb from datamodel=internal_server by _time

This will get you the license quota from the Splunk build in internal data model. Adopt it to your needs

Reply
Solved! Jump to solution

sushmitha_mj
Communicator
‎07-16-2015 01:52 PM

@MuS
I am getting the following error
Error in 'TsidxStats': Could not find datamodel: internal_server

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎07-16-2015 02:02 PM

Make sure, you're in the search app and have admin rights.

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...