- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: tstats returns no results: inconsistencies whe...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While working on writing a new correlation search, I wasn't getting any results from tstats; since I was pretty sure the data should be there, I switch to use the from command and got results. This was not the expected behavior, so I'd greatly appreciate help in figuring out why tstats isn't working.
| tstats count from datamodel=Web.Web by user
and
| tstats count from datamodel=Web.Web by action
both return "No results found" with no indicators by the job drop down to indicate any errors.
| tstats count from datamodel=Web.Web
returns a count in the hundreds of thousands
For comparison:
| from datamodel: "Web"."Web" | stats count by action
returns three rows (action, blocked, and unknown) each with significant counts that sum to the hundreds of thousands (just eyeballing, it matches the number from |tstats count from datamodel=Web.Web
| from datamodel: "Web"."Web" | stats count by user
returns thousands of rows. Summing the counts is in the hundreds of thousands and is approximately (eyeballed) equal to the stats count by action
| from datamodel: "Web"."Web" | stats count
returns a count in the hundreds of thousands that is slightly higher than the previous sums but in the same ball park
When considering nulls, the results appear consistent when they return results.
Other notes:
- I purposely selected the last 15 minutes as if I went back in time, the field extractions may not have existed at the time of the accelerations; adding them afterwards could lead to different results, so I want to minimize that possibility
- If I search from the previous day and/or previous week, I see similar situations where I get no results with the by clause
- If I go to Settings -> Data models the Web data model is accelerated and is listed at 100.00% completed -- I think this is confirmed by the tstats count without a by clause
- If I use the
datamodelcommand the results match the queries from thefromcommand as I would expect.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem was I didn't specify the data model in the by clause.
What I mean is instead of:
| tstats count from datamodel=Web.Web by user
It should have been:
| tstats count from datamodel=Web.Web by Web.user
Again the key is adding the Web. before the fields.
I knew it had to be something obvious; I had ran it by a co-worker hoping to "rubber duck" it and things didn't click. After coming back from lunch, I suddenly had my aha moment
Sorry for asking such an obvious question -- I know better and just before starting this correlation search I wrote with using tstats and correctly included the model in the by clause so I can't even claim it was a little bit of dust. Oh well, hopefully it helps some one in the future
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem was I didn't specify the data model in the by clause.
What I mean is instead of:
| tstats count from datamodel=Web.Web by user
It should have been:
| tstats count from datamodel=Web.Web by Web.user
Again the key is adding the Web. before the fields.
I knew it had to be something obvious; I had ran it by a co-worker hoping to "rubber duck" it and things didn't click. After coming back from lunch, I suddenly had my aha moment
Sorry for asking such an obvious question -- I know better and just before starting this correlation search I wrote with using tstats and correctly included the model in the by clause so I can't even claim it was a little bit of dust. Oh well, hopefully it helps some one in the future
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The dot notation you're using doesn't seem quite right.
Specify the DM without it, and verify acceleration is working by limiting your search to only the indexed data:
| tstats summariesonly=t count from datamodel=Web
If your datamodel is tied to an app, be sure you are searching within that context, and your user has adequate permissions to both.
An upvote would be appreciated and Accept Solution if it helps!
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
