Why does tstats works different for root event dat...

att35 · ‎09-09-2021

Hi.

I have a data model that consists of two root event datasets. Both accelerated using simple SPL.

First dataset I can access using the following

| tstats summariesonly=t count FROM datamodel=model_name 
where nodename=dataset_1 by dataset_1.FieldName

But for the 2nd root event dataset, same format doesn't work. For that, I get events only by referencing the dataset along with the datamodel.

| tstats summariesonly=t count FROM datamodel=model_name.dataset_2 
by dataset_2.FieldName

e.g., the following will not work.

| tstats summariesonly=t count FROM datamodel=model_name 
where nodename=dataset_2 by dataset_2.FieldName

I am trying to understand what causes splunk search to work differently on these datasets when both are at the same level?

Thanks,

~ Abhi

Yaron_Eilat · ‎12-12-2023

I am very new to Splunk but I just encountered the explanation for this in a course 🙂

When no Dataset is specified in the From clause, Splunk assumes the first root Dataset is addressed.

When you want to address any root Dataset other than the first one, you must specify it explicitly.

Therefore, it is best practice to ignore the fact that Splunk assumes the first root Dataset and specify it in every use even if Splunk allows you to save that little bit of typing 😉

| tstats summariesonly=t count FROM datamodel=model_name.dataset_1 
where nodename=dataset_1 by dataset_1.FieldName

Why does tstats works different for root event datasets within the same data model

tstats

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases