Solved: Calculated Data Model Field Value Inaccessible

joeldavideng · ‎12-25-2017

I created a data model called "Process_Creation" with a calculated field that represents the length of a specific string in the modeled events called "command_line_length". I can display the correct values for each event using a table command with "Process_Creation.command_line_length", however that seems to be all I can do with the data model field. When I attempt to compare the value to any numerical value I get zero results no matter the comparison type.

The calculated field is stored as a number and the values are correct so I suspect the "where" command is not referencing the actual stored value. Any ideas?

| datamodel Process_Monitoring Process_Creation search | eval threshold = [ | search index=summary "search_name=pm_command_line_length_stats" earliest=-90d@d latest=-1d@d | stats avg(command_line_length) AS command_line_average stdev(command_line_length) AS command_line_stdev | eval threshold = round(command_line_average + ( command_line_stdev * 6 )) | return $threshold ] | where Process_Creation.command_line_length > threshold

joeldavideng · ‎12-26-2017

For anyone else with the same problem, it appears that doing comparisons against the actual value of a data model field requires you to use enclosing $s to get the value rather than the variable reference.

View solution in original post

joeldavideng · ‎12-26-2017

For anyone else with the same problem, it appears that doing comparisons against the actual value of a data model field requires you to use enclosing $s to get the value rather than the variable reference.

niketn · ‎12-26-2017

@joeldavideng, can you add the final query that worked for you in your answer as well?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

joeldavideng · ‎12-27-2017

Sure thing, it was very close to the original.

| datamodel Process_Monitoring Process_Creation search | eval threshold = [ | search index=summary "search_name=pm_command_line_length_stats" earliest=-90d@d latest=-1d@d | stats avg(command_line_length) AS command_line_average stdev(command_line_length) AS command_line_stdev | eval threshold = round(command_line_average + ( command_line_stdev * 6 )) | return $threshold ] | where $Process_Creation.command_line_length$ > threshold

harsmarvania57 · ‎12-25-2017

Hi @joeldavideng,

To start diagnose the issue first try to search | datamodel Process_Monitoring Process_Creation search | where Process_Creation.command_line_length > 0 are you getting any result ?

joeldavideng · ‎12-26-2017

Performing that query threw a type error "Typechecking failed. The '>' operator received different types" which would indicate that the value is stored as the wrong type. I checked the data model and that field is explicitly set as a number. Is there an implicit cast when you reference the data model?

joeldavideng · ‎12-26-2017

I randomly decided to try adding some $'s to the field to see if I could extract the value of the field and it worked.

| datamodel Process_Monitoring Process_Creation search | where $Process_Creation.command_line_length$ > 100

I guess the calculated fields in a data model behave differently than adhoc fields calculated at search time in a query.

Calculated Data Model Field Value Inaccessible

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life