While working on writing a new correlation search, I wasn't getting any results from tstats
; since I was pretty sure the data should be there, I switch to use the from
command and got results. This was not the expected behavior, so I'd greatly appreciate help in figuring out why tstats
isn't working.
| tstats count from datamodel=Web.Web by user
and
| tstats count from datamodel=Web.Web by action
both return "No results found" with no indicators by the job drop down to indicate any errors.
| tstats count from datamodel=Web.Web
returns a count in the hundreds of thousands
For comparison:
| from datamodel: "Web"."Web" | stats count by action
returns three rows (action, blocked, and unknown) each with significant counts that sum to the hundreds of thousands (just eyeballing, it matches the number from |tstats count from datamodel=Web.Web
| from datamodel: "Web"."Web" | stats count by user
returns thousands of rows. Summing the counts is in the hundreds of thousands and is approximately (eyeballed) equal to the stats count by action
| from datamodel: "Web"."Web" | stats count
returns a count in the hundreds of thousands that is slightly higher than the previous sums but in the same ball park
When considering nulls, the results appear consistent when they return results.
Other notes:
datamodel
command the results match the queries from the from
command as I would expect.The problem was I didn't specify the data model in the by clause.
What I mean is instead of:
| tstats count from datamodel=Web.Web by user
It should have been:
| tstats count from datamodel=Web.Web by Web.user
Again the key is adding the Web. before the fields.
I knew it had to be something obvious; I had ran it by a co-worker hoping to "rubber duck" it and things didn't click. After coming back from lunch, I suddenly had my aha moment
Sorry for asking such an obvious question -- I know better and just before starting this correlation search I wrote with using tstats and correctly included the model in the by clause so I can't even claim it was a little bit of dust. Oh well, hopefully it helps some one in the future
The problem was I didn't specify the data model in the by clause.
What I mean is instead of:
| tstats count from datamodel=Web.Web by user
It should have been:
| tstats count from datamodel=Web.Web by Web.user
Again the key is adding the Web. before the fields.
I knew it had to be something obvious; I had ran it by a co-worker hoping to "rubber duck" it and things didn't click. After coming back from lunch, I suddenly had my aha moment
Sorry for asking such an obvious question -- I know better and just before starting this correlation search I wrote with using tstats and correctly included the model in the by clause so I can't even claim it was a little bit of dust. Oh well, hopefully it helps some one in the future
The dot notation you're using doesn't seem quite right.
Specify the DM without it, and verify acceleration is working by limiting your search to only the indexed data:
| tstats summariesonly=t count from datamodel=Web
If your datamodel is tied to an app, be sure you are searching within that context, and your user has adequate permissions to both.