Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does tstats not work with macros in child dataset?

kyokkygo
Engager
‎02-03-2023 02:42 AM

 

Screenshot 2023-02-03 at 13.37.51.png

I try use macros to get external indexes in child dataset VPN, but search with tstats on this dataset doesn't work.  Example of search:

 

 

| tstats values(sourcetype) as sourcetype from datamodel=authentication.authentication where nodename=authentication.VPN by nodename

 

 

  But when I explicitly enumerate the indexes, then everything works! And also it work with macros when i use search:

 

 

| from datamodel ...

 

 


What's problem? 

Labels (1)
Labels
0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎02-03-2023 04:28 AM

If you use the pivot interface and select the VPN child do you get results?

Can you try this?
| tstats prestats=true summariesonly=false allow_old_summaries=true values(sourcetype) as sourcetype FROM datamodel=Authentication WHERE nodename=Authentication.VPN 
| stats dedup_splitvals=t values(sourcetype)

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...