Splunk Search

tstats summariesonly query does not return results

Communicator

Hi all, my query is not returning any results and I think it's an error in the query. The clauses 'as' and 'from' in the query are also not coloured, which makes me think they are not being seen as a clause. Does anyone know what the error is?

| tstats summariesonly=true dc(Malware_Attacks.dest) AS dest_count from datamodel=Malware.Malware_Attacks where * by Malware_Attacks.signature 
| `drop_dm_object_name("Malware_Attacks")` 
| sort 10 - dest_count
Tags (2)

Path Finder

I see similar issues with a search where the from clause specifies a datamodel.dataset - summariesonly=t returns no results but summariesonly=f does.
If you specify only the datamodel in the FROM and use a WHERE nodename= both options true/false return results
So your search would be
| tstats summariesonly=true dc(Malware_Attacks.dest) AS dest_count from datamodel=Malware
where nodename=Malware_Attacks
by Malware_Attacks.signature
| drop_dm_object_name("Malware_Attacks")
| sort 10 - dest_count

LMK if that works in your case.

Communicator

I am seeing this across the whole of my Splunk ES 5.1.1/7.1.2 system - what version are you using, paddygriffin?

0 Karma

Path Finder

IS this on a search head with Enterprise Security installed? If so, try summariesonly instead of summariesonly=true. In my experience the latter will cause trouble, if it will even run, on an ES search head, whereas the former is built in to ES and works every time. Also, verify the summary range of the data model, is your search within the summary range?

Path Finder

Communicator

like I said, the wildcard is not the problem, it is the summariesonly. I have a lot of queries in this format with the wildcard, which is not a problem at all

0 Karma

Motivator

hey kokanne,

Is the name of the datamodel Malware OR Malware_Attacks ?
Also check the query before the macro and see the results and if no condition is given then you dont need to specify where *

0 Karma

Communicator

The datamodel and the wildcard are not the problem here, I am certain of that. I have had the problem with different queries with the same datamodel, and it was a problem with the tokens, but this one doesn't have tokens. But the datamodel is fine.

0 Karma

Motivator

Try checking with pivot if you get any results. That might help finding where exact the problem is.

0 Karma

Communicator

pivot gives results

0 Karma

Motivator

is the datamodel accelerated?
summariesonly = true will give results only if datamodel is accelerated

Communicator

yes is accelerated

0 Karma

Super Champion

Does below query produce results?

 | tstats summariesonly=false dc(Malware_Attacks.dest) AS dest_count from datamodel=Malware.Malware_Attacks where * by Malware_Attacks.signature 

Communicator

yes without summariesonly it produce results

0 Karma

Super Champion

it seems datamodel don't have any accelerated data
Have you checked the status of the acceleration?
Settings -> Data models -> Expand arrow next to the datamodel name(on left)
Under "Acceleration" you should see statistics relevant to the acceleration of this specific datamodel

Communicator

this?

ACCELERATION
Rebuild Update Edit
Status
94.88% Completed
Access Count
5814. Last Access: 2/21/18 9:35:03.000 AM
Size on Disk
165.00MB
Summary Range
31536000 second(s)
Buckets
9798
Updated
2/21/18 9:41:24.000 AM

0 Karma

Super Champion

looks fine...
does below query gives result?

| tstats summariesonly=true count from datamodel=Malware.Malware_Attacks where * by Malware_Attacks.signature 

Communicator

no results for this

0 Karma

Super Champion

not sure if I can help you as I haven't work on data models ...though it 's open to all to give answer..
ok lets check with simple query :

 | tstats summariesonly=true count from datamodel=Malware.Malware_Attacks

Does this gives any result?

0 Karma

Communicator

gives me the result of count = 0 but statistics gives one result it says

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!