Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

The Action field shows no result while running a search using Datamodel (tsats)

ralam
Loves-to-Learn
‎12-14-2020 05:31 AM

Hello,

I recently tuned my Authentication Datamodel and I cannot see any result in the action field while running a search.
Screenshot 2020-12-14 at 6.44.35 PM.png
However I can see the result while using Pivot feature.Screenshot 2020-12-14 at 6.45.37 PM.png

FYI - I used Eval Expression feature while tuning this DM. 

 

 

case((sourcetype="linux" AND isnull(action)),"unknown",sourcetype="linux", action,

sourcetype="AWS",action,

(sourcetype="Okta" AND action="SUCCESS"), "success",

(sourcetype="Okta" AND action="FAILURE"), "failure",

(sourcetype="Duo" AND action="SUCCESS"), "success",

(sourcetype="Duo" AND action="FAILURE"), "failure" )

 

 

 

 

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-14-2020 05:58 AM

After you "tuned" the DM did you re-enable acceleration and allow time for the acceleration to complete?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ralam
Loves-to-Learn
‎12-14-2020 06:31 AM

Hello @richgalloway,

Yeah, I enabled acceleration and it has been a week since i accelerated it. I can run searches on the datamodel using tsats command but it's only problem is that it won't populate action field in the result. You can see that in the first screenshot I shared. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-14-2020 07:07 AM

Next steps are:

1) Verify the acceleration is 100% complete.

2) Run the tstats query using the summariesonly=false option.  If you get the expected results then there's a problem with the DM acceleration.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ralam
Loves-to-Learn
‎12-14-2020 07:40 AM

1) Datamodel acceleration is 100%. 

Screenshot 2020-12-14 at 9.08.22 PM.png

2) With summariesonly=false option I got the same result. Action field did not populate. 

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...