I'm starting to use accelerated data models to power some dashboards, but I'm having some issues. For example, after a few days of searching, I only recently found out that to reference fields, I need to use the . format and I'm still not clear on what the use of the "nodename" attribute is.
My query to the Splunk sages: Where are these and other data model specifics documented?
Here's a good answers post with some nice details on using tstats.
https://answers.splunk.com/answers/186938/what-is-tstats-and-why-is-so-much-faster-than-stat.html
The nodename refers to a child in a datamodel and allows you to constrain your search in a where clause. So given the sample datamodel included with Splunk, 'Splunk's Internal Server Logs - SAMPLE', as an example:
server is the root event. scheduler is a child of server. scheduled_reports is a child of scheduler is a child of server.
So you'd use nodename like so:
| tstats prestats=true count from datamodel=internal_server where nodename=server.scheduler.scheduled_reports | stats count
Took me a little bit of time to figure out how to access my data model fields using tstats so I thought I'd share some examples.
# had to use mvexpand to generate a list for a drop-down menu, without it I was getting commas in my dashboard drop-downs
| tstats values(Host_Metadata_Stats.host_env) as host_env from datamodel=Host_Metadata.Host_Metadata_Stats
| mvexpand host_env
| table host_env
# avg calculation with 1 second bucket / span
| tstats count from datamodel=Host_Metadata.Host_Metadata_Stats where Host_Metadata_Stats.index="*" Host_Metadata_Stats.host="**" Host_Metadata_Stats.host_app="*" Host_Metadata_Stats.host_env="*" Host_Metadata_Stats.host_server="*" sourcetype="*" by _time span=1s
| stats avg(count) as eps
# timechart sum
| tstats count from datamodel=Host_Metadata.Host_Metadata_Stats where Host_Metadata_Stats.index="*" Host_Metadata_Stats.host="**" Host_Metadata_Stats.host_app="*" Host_Metadata_Stats.host_env="*" Host_Metadata_Stats.host_server="*" sourcetype="*" by _time index
| timechart sum(count) as count by index useother=f
# table
| tstats count sum(Host_Metadata_Stats.event_length) as bytes from datamodel=Host_Metadata.Host_Metadata_Stats where Host_Metadata_Stats.index="*" Host_Metadata_Stats.host="**" Host_Metadata_Stats.host_app="*" Host_Metadata_Stats.host_env="*" Host_Metadata_Stats.host_server="*" sourcetype="*" by Host_Metadata_Stats.host_env Host_Metadata_Stats.host_app Host_Metadata_Stats.host_server Host_Metadata_Stats.host Host_Metadata_Stats.host_os Host_Metadata_Stats.index sourcetype source
| sort host
| rename Host_Metadata_Stats.host_env as host_env Host_Metadata_Stats.host_app as host_app Host_Metadata_Stats.host as host Host_Metadata_Stats.host_os as host_os Host_Metadata_Stats.index as index Host_Metadata_Stats.host_server as host_server
| eval mb=round(bytes/1024/1024,2)
| eval gb=round(bytes/1024/1024/1024,2)
| sort -bytes
I also found I could get a list of the datamodel field names by using prestats=t in verbose or smart search modes
| tstats prestats=t count from datamodel=Host_Metadata.Host_Metadata_Stats
| table Host_Metadata_Stats*
| transpose 1
| table column
A couple of doc links, if you haven't already gone through them:
Thanks. I had previously scoured through these docs trying dig out tstats idiosyncrasies when using datamodels.
Here's a good answers post with some nice details on using tstats.
https://answers.splunk.com/answers/186938/what-is-tstats-and-why-is-so-much-faster-than-stat.html
The nodename refers to a child in a datamodel and allows you to constrain your search in a where clause. So given the sample datamodel included with Splunk, 'Splunk's Internal Server Logs - SAMPLE', as an example:
server is the root event. scheduler is a child of server. scheduled_reports is a child of scheduler is a child of server.
So you'd use nodename like so:
| tstats prestats=true count from datamodel=internal_server where nodename=server.scheduler.scheduled_reports | stats count
Nice, all the details are buried in that post. I had missed them on the first skim. : )
Consider also the .conf talk I gave last year specifically designed to teach people how to use tstats!
Slides: http://conf.splunk.com/files/2016/slides/how-to-scale-from-raw-to-tstats.pdf
Video: http://conf.splunk.com/files/2016/recordings/how-to-scale-from-raw-to-tstats.mp4
Or go to DC for .conf2017 where I will be re-delivering the same talk (with a few updates)!