Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

tstats summariesonly query does not return results

kokanne
Communicator
‎02-19-2018 01:41 AM

Hi all, my query is not returning any results and I think it's an error in the query. The clauses 'as' and 'from' in the query are also not coloured, which makes me think they are not being seen as a clause. Does anyone know what the error is? 

| tstats summariesonly=true dc(Malware_Attacks.dest) AS dest_count from datamodel=Malware.Malware_Attacks where * by Malware_Attacks.signature 
| `drop_dm_object_name("Malware_Attacks")` 
| sort 10 - dest_count
Tags (2)
Reply

paddygriffin
Path Finder
‎10-11-2018 08:42 AM

I see similar issues with a search where the from clause specifies a datamodel.dataset - summariesonly=t returns no results but summariesonly=f does.
If you specify only the datamodel in the FROM and use a WHERE nodename= both options true/false return results
So your search would be
| tstats summariesonly=true dc(Malware_Attacks.dest) AS dest_count from datamodel=Malware
where nodename=Malware_Attacks
by Malware_Attacks.signature
| drop_dm_object_name("Malware_Attacks")
| sort 10 - dest_count

LMK if that works in your case.

Reply

BlueSocket
Communicator
‎10-11-2018 10:07 AM

I am seeing this across the whole of my Splunk ES 5.1.1/7.1.2 system - what version are you using, paddygriffin?

0 Karma
Reply

richkappler
Path Finder
‎08-21-2018 10:03 AM

IS this on a search head with Enterprise Security installed? If so, try summariesonly instead of summariesonly=true. In my experience the latter will cause trouble, if it will even run, on an ES search head, whereas the former is built in to ES and works every time. Also, verify the summary range of the data model, is your search within the summary range?

Reply

richkappler
Path Finder
‎02-19-2018 08:12 AM

Wildcards are not supported, see http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Tstats#Wildcard_characters

Reply

kokanne
Communicator
‎02-20-2018 11:20 PM

like I said, the wildcard is not the problem, it is the summariesonly. I have a lot of queries in this format with the wildcard, which is not a problem at all

0 Karma
Reply

deepashri_123
Motivator
‎02-19-2018 04:10 AM

hey kokanne,

Is the name of the datamodel Malware OR Malware_Attacks ?
Also check the query before the macro and see the results and if no condition is given then you dont need to specify where *

0 Karma
Reply

kokanne
Communicator
‎02-19-2018 04:13 AM

The datamodel and the wildcard are not the problem here, I am certain of that. I have had the problem with different queries with the same datamodel, and it was a problem with the tokens, but this one doesn't have tokens. But the datamodel is fine.

0 Karma
Reply

deepashri_123
Motivator
‎02-19-2018 04:19 AM

Try checking with pivot if you get any results. That might help finding where exact the problem is.

0 Karma
Reply

kokanne
Communicator
‎02-19-2018 04:32 AM

pivot gives results

0 Karma
Reply

deepashri_123
Motivator
‎02-19-2018 04:34 AM

is the datamodel accelerated?
summariesonly = true will give results only if datamodel is accelerated

Reply

kokanne
Communicator
‎02-19-2018 04:35 AM

yes is accelerated

0 Karma
Reply

493669
Super Champion
‎02-20-2018 11:40 PM

Does below query produce results?

 | tstats summariesonly=false dc(Malware_Attacks.dest) AS dest_count from datamodel=Malware.Malware_Attacks where * by Malware_Attacks.signature
Reply

kokanne
Communicator
‎02-21-2018 12:06 AM

yes without summariesonly it produce results

0 Karma
Reply

493669
Super Champion
‎02-21-2018 12:30 AM

it seems datamodel don't have any accelerated data
Have you checked the status of the acceleration?
Settings -> Data models -> Expand arrow next to the datamodel name(on left)
Under "Acceleration" you should see statistics relevant to the acceleration of this specific datamodel

Reply

kokanne
Communicator
‎02-21-2018 12:42 AM

this?

ACCELERATION
Rebuild Update Edit
Status
94.88% Completed
Access Count
5814. Last Access: 2/21/18 9:35:03.000 AM
Size on Disk
165.00MB
Summary Range
31536000 second(s)
Buckets
9798
Updated
2/21/18 9:41:24.000 AM

0 Karma
Reply

493669
Super Champion
‎02-21-2018 12:49 AM

looks fine...
does below query gives result?

| tstats summariesonly=true count from datamodel=Malware.Malware_Attacks where * by Malware_Attacks.signature
Reply

kokanne
Communicator
‎02-21-2018 01:45 AM

no results for this

0 Karma
Reply

493669
Super Champion
‎02-21-2018 03:44 AM

not sure if I can help you as I haven't work on data models ...though it 's open to all to give answer..
ok lets check with simple query :

 | tstats summariesonly=true count from datamodel=Malware.Malware_Attacks

Does this gives any result?

0 Karma
Reply

kokanne
Communicator
‎02-21-2018 05:23 AM

gives me the result of count = 0 but statistics gives one result it says

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...