Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

The Action field shows no result while running a search using Datamodel (tsats)

ralam
Explorer
‎12-14-2020 05:31 AM

Hello,

I recently tuned my Authentication Datamodel and I cannot see any result in the action field while running a search.
Screenshot 2020-12-14 at 6.44.35 PM.png
However I can see the result while using Pivot feature.Screenshot 2020-12-14 at 6.45.37 PM.png

FYI - I used Eval Expression feature while tuning this DM. 

 

 

case((sourcetype="linux" AND isnull(action)),"unknown",sourcetype="linux", action,

sourcetype="AWS",action,

(sourcetype="Okta" AND action="SUCCESS"), "success",

(sourcetype="Okta" AND action="FAILURE"), "failure",

(sourcetype="Duo" AND action="SUCCESS"), "success",

(sourcetype="Duo" AND action="FAILURE"), "failure" )

 

 

 

 

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-14-2020 05:58 AM

After you "tuned" the DM did you re-enable acceleration and allow time for the acceleration to complete?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ralam
Explorer
‎12-14-2020 06:31 AM

Hello @richgalloway,

Yeah, I enabled acceleration and it has been a week since i accelerated it. I can run searches on the datamodel using tsats command but it's only problem is that it won't populate action field in the result. You can see that in the first screenshot I shared. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-14-2020 07:07 AM

Next steps are:

1) Verify the acceleration is 100% complete.

2) Run the tstats query using the summariesonly=false option.  If you get the expected results then there's a problem with the DM acceleration.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ralam
Explorer
‎12-14-2020 07:40 AM

1) Datamodel acceleration is 100%. 

Screenshot 2020-12-14 at 9.08.22 PM.png

2) With summariesonly=false option I got the same result. Action field did not populate. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...