Why does tstats works different for root event dat...

Splunk Search

Hi.

I have a data model that consists of two root event datasets. Both accelerated using simple SPL.

First dataset I can access using the following

| tstats summariesonly=t count FROM datamodel=model_name 
where nodename=dataset_1 by dataset_1.FieldName

But for the 2nd root event dataset, same format doesn't work. For that, I get events only by referencing the dataset along with the datamodel.

| tstats summariesonly=t count FROM datamodel=model_name.dataset_2 
by dataset_2.FieldName

e.g., the following will not work.

| tstats summariesonly=t count FROM datamodel=model_name 
where nodename=dataset_2 by dataset_2.FieldName

I am trying to understand what causes splunk search to work differently on these datasets when both are at the same level?

Thanks,

~ Abhi

Get Updates on the Splunk Community!

Time to toss the .conf-etti 🎉 — .conf23 registration is open! Join us in Las Vegas July 17-20 for ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Why does tstats works different for root event datasets within the same data model