Splunk Search

Where can I find detailed documentation for using tstats with accelerated data models?

romedome
Path Finder

I'm starting to use accelerated data models to power some dashboards, but I'm having some issues. For example, after a few days of searching, I only recently found out that to reference fields, I need to use the . format and I'm still not clear on what the use of the "nodename" attribute is.

My query to the Splunk sages: Where are these and other data model specifics documented?

1 Solution

shaskell_splunk
Splunk Employee
Splunk Employee

Here's a good answers post with some nice details on using tstats.

https://answers.splunk.com/answers/186938/what-is-tstats-and-why-is-so-much-faster-than-stat.html

The nodename refers to a child in a datamodel and allows you to constrain your search in a where clause. So given the sample datamodel included with Splunk, 'Splunk's Internal Server Logs - SAMPLE', as an example:

server is the root event. scheduler is a child of server. scheduled_reports is a child of scheduler is a child of server.

So you'd use nodename like so:

| tstats prestats=true count from datamodel=internal_server where nodename=server.scheduler.scheduled_reports | stats count

View solution in original post

bandit
Motivator

Took me a little bit of time to figure out how to access my data model fields using tstats so I thought I'd share some examples.

# had to use mvexpand to generate a list for a drop-down menu, without it I was getting commas in my dashboard drop-downs
| tstats values(Host_Metadata_Stats.host_env) as host_env from datamodel=Host_Metadata.Host_Metadata_Stats 
| mvexpand host_env 
| table host_env

# avg calculation with 1 second bucket / span
| tstats count from datamodel=Host_Metadata.Host_Metadata_Stats where Host_Metadata_Stats.index="*" Host_Metadata_Stats.host="**" Host_Metadata_Stats.host_app="*" Host_Metadata_Stats.host_env="*" Host_Metadata_Stats.host_server="*" sourcetype="*" by _time span=1s 
| stats avg(count) as eps

# timechart sum
| tstats count from datamodel=Host_Metadata.Host_Metadata_Stats where Host_Metadata_Stats.index="*" Host_Metadata_Stats.host="**" Host_Metadata_Stats.host_app="*" Host_Metadata_Stats.host_env="*" Host_Metadata_Stats.host_server="*" sourcetype="*" by _time index 
| timechart sum(count) as count by index useother=f

# table
| tstats count sum(Host_Metadata_Stats.event_length) as bytes from datamodel=Host_Metadata.Host_Metadata_Stats where Host_Metadata_Stats.index="*" Host_Metadata_Stats.host="**" Host_Metadata_Stats.host_app="*" Host_Metadata_Stats.host_env="*" Host_Metadata_Stats.host_server="*" sourcetype="*" by Host_Metadata_Stats.host_env Host_Metadata_Stats.host_app Host_Metadata_Stats.host_server Host_Metadata_Stats.host Host_Metadata_Stats.host_os Host_Metadata_Stats.index sourcetype source 
| sort host 
| rename Host_Metadata_Stats.host_env as host_env Host_Metadata_Stats.host_app as host_app Host_Metadata_Stats.host as host Host_Metadata_Stats.host_os as host_os Host_Metadata_Stats.index as index Host_Metadata_Stats.host_server as host_server 
| eval mb=round(bytes/1024/1024,2) 
| eval gb=round(bytes/1024/1024/1024,2) 
| sort -bytes

I also found I could get a list of the datamodel field names by using prestats=t in verbose or smart search modes

| tstats prestats=t count from datamodel=Host_Metadata.Host_Metadata_Stats
| table Host_Metadata_Stats*
| transpose 1
| table column

romedome
Path Finder

Thanks. I had previously scoured through these docs trying dig out tstats idiosyncrasies when using datamodels.

0 Karma

shaskell_splunk
Splunk Employee
Splunk Employee

Here's a good answers post with some nice details on using tstats.

https://answers.splunk.com/answers/186938/what-is-tstats-and-why-is-so-much-faster-than-stat.html

The nodename refers to a child in a datamodel and allows you to constrain your search in a where clause. So given the sample datamodel included with Splunk, 'Splunk's Internal Server Logs - SAMPLE', as an example:

server is the root event. scheduler is a child of server. scheduled_reports is a child of scheduler is a child of server.

So you'd use nodename like so:

| tstats prestats=true count from datamodel=internal_server where nodename=server.scheduler.scheduled_reports | stats count

romedome
Path Finder

Nice, all the details are buried in that post. I had missed them on the first skim. : )

0 Karma

David
Splunk Employee
Splunk Employee

Consider also the .conf talk I gave last year specifically designed to teach people how to use tstats!
Slides: http://conf.splunk.com/files/2016/slides/how-to-scale-from-raw-to-tstats.pdf
Video: http://conf.splunk.com/files/2016/recordings/how-to-scale-from-raw-to-tstats.mp4

Or go to DC for .conf2017 where I will be re-delivering the same talk (with a few updates)!

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...