I use Splunk v7.2 on a Windows server. I have installed some add-ons and apps. The problem is that any query that uses stat or tstat does not return any result (they just return 0).
For example, this is a query from Modsecurity's app:
| tstats summariesonly=true count from datamodel=modsecurity_alerts
I believe I have installed the app correctly.
In addition to that, some of the queries from Splunk app for Windows infrastructure also don't work, this is one of them:
| inputlookup windows_event_system | dedup Host | stats count
I have been googling for a while, but with no luck. Any help is highly appreciated.
Hey man, it seems the search is using accelerate datamodels (first search). Please make sure the datamodel is accelerated. A good idea as well is to run the root search that populates the datamodel to make sure it is matching something. To find that search, click on Settings > Data Models > Open the above datamodel then copy the search that should be under Constraints and use it on a search. If it is not showing anything you either need to adjust your data or adjust the search that populates the datamodel.
About the lookup, it seems it was never populated. You have an option to build the the lookups on the App Configuration.
Hope that helps.
Hey man, it seems the search is using accelerate datamodels (first search). Please make sure the datamodel is accelerated. A good idea as well is to run the root search that populates the datamodel to make sure it is matching something. To find that search, click on Settings > Data Models > Open the above datamodel then copy the search that should be under Constraints and use it on a search. If it is not showing anything you either need to adjust your data or adjust the search that populates the datamodel.
About the lookup, it seems it was never populated. You have an option to build the the lookups on the App Configuration.
Hope that helps.
Accelerating the datamodel fixed the problem, thank you very much!
For tstats count you need to use "where" not "from".
Try this:
| tstats summariesonly=true count where datamodel=modsecurity_alerts