- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- What are some use cases where it is best to use ac...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What are some use cases where it is best to use accelerated datamodels?
Hi there.
The only possible way to access accelerated datamodels is by using the tstats command. It is tricky to use tstats in general and for extracting single events.
So, why even using accerelated datamodels if only one command is supported to access it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your question shows that first, you need to go read these pages:
https://answers.splunk.com/answers/186938/what-is-tstats-and-why-is-so-much-faster-than-stat.html
http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/Acceleratedatamodels
Accelerated data models do not HAVE to use tstats. In fact, you CANNOT use an accelerated data model unless at least one of the root hierarchies includes only streaming commands. (In other words, unless one of the data models is going for raw data on the indexers that has not been "blended" in any way with other data.)
So, tstats isn't involved in the acceleration.
You CAN use tstats within a data model, but it is not required:
https://answers.splunk.com/answers/106226/using-tstats-with-a-datamodel.html
You can also use tstats to get data OUT of a data model:
https://answers.splunk.com/answers/500954/joining-accelerated-data-models-using-tstats.html
Once you've reviewed those references, please let us know what other questions we can help you with on this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer. But as MuS expected doesn't it reflect my question.
Lets start in the beginning.
Datamodels are great to structure unstructured data. We all know what they are and how to create them or us them from the CIM.
Accelerated datamodels are created with a scheduled search, which run every 15min for a defined searchrange. Those models use additional storage on the indexers and of course CPU power to create them. In fact they are resourceful.
Because the creation of accelerated datamodels is expensive, they must have a added value. In my opinion the value is that the data is accessible much faster. But the only way to access those data is by using tstats
| tstats summariesonly=t avg(foo) FROM datamodel=buttercup_games WHERE bar=value2 baz>5
But I don't only want to create stats of accelerated datamodels. I want to make searches on the data within the accelerated datamodel and get events out of it. Something like
search datamodel=buttercup_games foo=value bar=value2
But there is no such command.
so, why using accelerated datamodels if we only can make tstats and not properly search for events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I reckon the question is about the usage of tstats against datamodel, like in
| tstats count FROM datamodel=network WHERE foo=baz ....
not on the usage of tstats in the datamodel root/search events ... but I could also be wrong ¯\_(ツ)_/¯
cheers, MuS
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
