Hi all, my query is not returning any results and I think it's an error in the query. The clauses 'as' and 'from' in the query are also not coloured, which makes me think they are not being seen as a clause. Does anyone know what the error is?
| tstats summariesonly=true dc(Malware_Attacks.dest) AS dest_count from datamodel=Malware.Malware_Attacks where * by Malware_Attacks.signature | `drop_dm_object_name("Malware_Attacks")` | sort 10 - dest_count
I see similar issues with a search where the from clause specifies a datamodel.dataset - summariesonly=t returns no results but summariesonly=f does.
If you specify only the datamodel in the FROM and use a WHERE nodename= both options true/false return results
So your search would be
| tstats summariesonly=true dc(Malware_Attacks.dest) AS dest_count from datamodel=Malware
| sort 10 - dest_count
LMK if that works in your case.
IS this on a search head with Enterprise Security installed? If so, try
summariesonly instead of summariesonly=true. In my experience the latter will cause trouble, if it will even run, on an ES search head, whereas the former is built in to ES and works every time. Also, verify the summary range of the data model, is your search within the summary range?
Is the name of the datamodel Malware OR Malware_Attacks ?
Also check the query before the macro and see the results and if no condition is given then you dont need to specify where *
The datamodel and the wildcard are not the problem here, I am certain of that. I have had the problem with different queries with the same datamodel, and it was a problem with the tokens, but this one doesn't have tokens. But the datamodel is fine.
Does below query produce results?
| tstats summariesonly=false dc(Malware_Attacks.dest) AS dest_count from datamodel=Malware.Malware_Attacks where * by Malware_Attacks.signature
it seems datamodel don't have any accelerated data
Have you checked the status of the acceleration?
Settings -> Data models -> Expand arrow next to the datamodel name(on left)
Under "Acceleration" you should see statistics relevant to the acceleration of this specific datamodel
Rebuild Update Edit
5814. Last Access: 2/21/18 9:35:03.000 AM
Size on Disk
2/21/18 9:41:24.000 AM
not sure if I can help you as I haven't work on data models ...though it 's open to all to give answer..
ok lets check with simple query :
| tstats summariesonly=true count from datamodel=Malware.Malware_Attacks
Does this gives any result?