Splunk Search

tstats returns no results: inconsistencies when searching datamodels via tstats compared to from and datamodel

triest
Communicator

While working on writing a new correlation search, I wasn't getting any results from tstats; since I was pretty sure the data should be there, I switch to use the from command and got results. This was not the expected behavior, so I'd greatly appreciate help in figuring out why tstats isn't working.

| tstats count from datamodel=Web.Web by user

and

| tstats count from datamodel=Web.Web by action

both return "No results found" with no indicators by the job drop down to indicate any errors.

| tstats count from datamodel=Web.Web

returns a count in the hundreds of thousands

For comparison:

| from datamodel: "Web"."Web" | stats count by action

returns three rows (action, blocked, and unknown) each with significant counts that sum to the hundreds of thousands (just eyeballing, it matches the number from |tstats count from datamodel=Web.Web

| from datamodel: "Web"."Web" | stats count by user

returns thousands of rows. Summing the counts is in the hundreds of thousands and is approximately (eyeballed) equal to the stats count by action

| from datamodel: "Web"."Web" | stats count

returns a count in the hundreds of thousands that is slightly higher than the previous sums but in the same ball park

When considering nulls, the results appear consistent when they return results.

Other notes:

  1. I purposely selected the last 15 minutes as if I went back in time, the field extractions may not have existed at the time of the accelerations; adding them afterwards could lead to different results, so I want to minimize that possibility
  2. If I search from the previous day and/or previous week, I see similar situations where I get no results with the by clause
  3. If I go to Settings -> Data models the Web data model is accelerated and is listed at 100.00% completed -- I think this is confirmed by the tstats count without a by clause
  4. If I use the datamodel command the results match the queries from the from command as I would expect.
0 Karma
1 Solution

triest
Communicator

The problem was I didn't specify the data model in the by clause.

What I mean is instead of:

| tstats count from datamodel=Web.Web by user

It should have been:

| tstats count from datamodel=Web.Web by Web.user

Again the key is adding the Web. before the fields.

I knew it had to be something obvious; I had ran it by a co-worker hoping to "rubber duck" it and things didn't click. After coming back from lunch, I suddenly had my aha moment

Sorry for asking such an obvious question -- I know better and just before starting this correlation search I wrote with using tstats and correctly included the model in the by clause so I can't even claim it was a little bit of dust. Oh well, hopefully it helps some one in the future

View solution in original post

0 Karma

triest
Communicator

The problem was I didn't specify the data model in the by clause.

What I mean is instead of:

| tstats count from datamodel=Web.Web by user

It should have been:

| tstats count from datamodel=Web.Web by Web.user

Again the key is adding the Web. before the fields.

I knew it had to be something obvious; I had ran it by a co-worker hoping to "rubber duck" it and things didn't click. After coming back from lunch, I suddenly had my aha moment

Sorry for asking such an obvious question -- I know better and just before starting this correlation search I wrote with using tstats and correctly included the model in the by clause so I can't even claim it was a little bit of dust. Oh well, hopefully it helps some one in the future

0 Karma

codebuilder
SplunkTrust
SplunkTrust

The dot notation you're using doesn't seem quite right.

Specify the DM without it, and verify acceleration is working by limiting your search to only the indexed data:

| tstats summariesonly=t count from datamodel=Web

If your datamodel is tied to an app, be sure you are searching within that context, and your user has adequate permissions to both.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...