Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error when trying to search Network Traffic data model with tstats

jwalzerpitt
Influencer
‎09-23-2020 11:24 AM

I am trying to search the Network Traffic data model, specifically blocked traffic, as follows:

| tstats summariesonly=true allow_old_summaries=true count from datamodel="Network_Traffic"."All_Traffic"."Traffic_By_Action"."Blocked_Traffic"

and I get the following error:

Error in 'DataModelCache': Invalid or unaccelerable root object for datamodel

Am I not chaining the child objects correctly in the search?

Thx

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-23-2020 01:08 PM

The datamodel keyword takes only the root datamodel name.  To specify a dataset within the DM, use the nodename option.  See https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Tstats#:~:text=indicating,model

| tstats summariesonly=true allow_old_summaries=true count from datamodel="Network_Traffic" where nodename="All_Traffic"."Traffic_By_Action"."Blocked_Traffic"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-23-2020 01:08 PM

The datamodel keyword takes only the root datamodel name.  To specify a dataset within the DM, use the nodename option.  See https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Tstats#:~:text=indicating,model

| tstats summariesonly=true allow_old_summaries=true count from datamodel="Network_Traffic" where nodename="All_Traffic"."Traffic_By_Action"."Blocked_Traffic"
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎09-24-2020 06:05 AM

@richgalloway

Thx for the reply and the info.

When I ran the query 

| tstats summariesonly=true allow_old_summaries=true count from datamodel="Network_Traffic" WHERE nodename="All_Traffic"."Traffic_By_Action"."Blocked_Traffic"

I got the following error: Error in 'TsidxStats': WHERE clause is not an exact query

 Thx

Tags (2)
0 Karma
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎09-24-2020 08:05 AM

Figured out the issue after banging away for a little - I had to drop the quotes from the nodenames

 

| tstats summariesonly=true allow_old_summaries=true count from datamodel="Network_Traffic" WHERE nodename=All_Traffic.Traffic_By_Action.Blocked_Traffic BY _time span=1h

 

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...