Re: How to use specific dataset in case of multipl...

AKG1_old1 · ‎06-06-2019

Hello,

In our datamodel, we have multiple datasets (root events/ root search).
But only the 1st one is working in the tstat search.

In below example I have 3 datasets, only SERVICE dataset is working, if I remove SERVICE then BA_LIVEBOOK will work and if remove BA_LIVEBOOK as well then RISKENGINE will work.

Data Model Structure

Below search query is to access BA_LIVEBOOK dataset but it will work only if I remove SERVICE EVENT.
Is there a different way of access in case of multiple datasets?

| tstats values(BA_LIVEBOOK.NPID) as NPID FROM datamodel=SERVICE_V7 WHERE (nodename=BA_LIVEBOOK) GROUPBY source

DavidHourani · ‎06-08-2019

Hi @agoyal,

What are the populating searches for your root events/searches ?

If they are independent I would advise you to go ahead and build a separate DM for each of the root searches, a general rule of thumb would be to have a root search and then child searches to get the best performance and avoid the kind of issues you're having.

Cheers,
David,

AKG1_old1 · ‎06-10-2019

data in different dataset are related but queries are different. I can't use as parent/child because I am using "|" in constraint which is not allowed in child. we have 4 datasets now and may get increase later. Managing would be eaiser to have single datamodel.

Anyway, My consern is If there is option of having mutliple datasets then I don't understand why we can't use like this. May be I am missing some property which require to call the dataset in search query.

How to use specific dataset in case of multiple dataset in datamodel ?

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?