- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why are data model metrics not showing up with...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are data model metrics not showing up with this search?
The following searches work :
| tstats `xxxx_summaries_only` avg(All_Performance.Memory.swap_free) AS swap_free FROM datamodel=COY_Performance WHERE nodename="All_Performance.Memory" AND All_Performance.dest="hostname-11"
| tstats `xxxx_summaries_only` avg(All_Performance.Memory.swap) AS swap FROM datamodel=COY_Performance WHERE nodename="All_Performance.Memory" AND All_Performance.dest="hostname-11"
This doesn’t work
| tstats `xxxx_summaries_only` avg(All_Performance.Memory.swap_used) AS swap_used FROM datamodel=COY_Performance WHERE nodename="All_Performance.Memory" AND All_Performance.dest="hostname-11"
But via the pivot on the datamodel, I do see metrics from "All_Performance.Memory.swap_used".
Any reason why my search returns nothing for
| tstats `xxxx_summaries_only` avg(All_Performance.Memory.swap_used) AS swap_used FROM datamodel=COY_Performance WHERE nodename="All_Performance.Memory" AND All_Performance.dest="hostname-11"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using values() instead of avg(), to check what values are extracting.
Maybe that field configuration in the datamodel was supposed to be a number but was configured as a string?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Values() doesn't work and the field is configured as number
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean values doesn't work?
What result you get for:
| tstats xxxx_summaries_only values(All_Performance.Memory.swap_used) AS swap_used FROM datamodel=COY_Performance WHERE nodename="All_Performance.Memory" AND All_Performance.dest="hostname-11"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
correct.
tstats xxxx_summaries_only values(All_Performance.Memory.swap_used) AS swap_used FROM datamodel=COY_Performance WHERE nodename="All_Performance.Memory" AND All_Performance.dest="hostname-11"
didn't work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
didn't work, but what do you get as a result?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"no results found"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try to view the table in the pivot, and click "open in search"
Then inspect the search details and look in search.log
You will find the |tstats that was running in the background
Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...
Preparing your Splunk Environment for OpenSSL3
Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector
