Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

The Action field shows no result while running a search using Datamodel (tsats)

ralam
Explorer
‎12-14-2020 05:31 AM

Hello,

I recently tuned my Authentication Datamodel and I cannot see any result in the action field while running a search.
Screenshot 2020-12-14 at 6.44.35 PM.png
However I can see the result while using Pivot feature.Screenshot 2020-12-14 at 6.45.37 PM.png

FYI - I used Eval Expression feature while tuning this DM. 

 

 

case((sourcetype="linux" AND isnull(action)),"unknown",sourcetype="linux", action,

sourcetype="AWS",action,

(sourcetype="Okta" AND action="SUCCESS"), "success",

(sourcetype="Okta" AND action="FAILURE"), "failure",

(sourcetype="Duo" AND action="SUCCESS"), "success",

(sourcetype="Duo" AND action="FAILURE"), "failure" )

 

 

 

 

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-14-2020 05:58 AM

After you "tuned" the DM did you re-enable acceleration and allow time for the acceleration to complete?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ralam
Explorer
‎12-14-2020 06:31 AM

Hello @richgalloway,

Yeah, I enabled acceleration and it has been a week since i accelerated it. I can run searches on the datamodel using tsats command but it's only problem is that it won't populate action field in the result. You can see that in the first screenshot I shared. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-14-2020 07:07 AM

Next steps are:

1) Verify the acceleration is 100% complete.

2) Run the tstats query using the summariesonly=false option.  If you get the expected results then there's a problem with the DM acceleration.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ralam
Explorer
‎12-14-2020 07:40 AM

1) Datamodel acceleration is 100%. 

Screenshot 2020-12-14 at 9.08.22 PM.png

2) With summariesonly=false option I got the same result. Action field did not populate. 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

Unlock Instant Security Insights from Amazon S3 with Splunk Cloud — Try Federated ...

Availability: Must be on Splunk Cloud Platform version 10.1.2507.x to view the free trial banner. If you are ...