- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- tstat and stat commands do not return any result
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I use Splunk v7.2 on a Windows server. I have installed some add-ons and apps. The problem is that any query that uses stat or tstat does not return any result (they just return 0).
For example, this is a query from Modsecurity's app:
| tstats summariesonly=true count from datamodel=modsecurity_alerts
I believe I have installed the app correctly.
In addition to that, some of the queries from Splunk app for Windows infrastructure also don't work, this is one of them:
| inputlookup windows_event_system | dedup Host | stats count
I have been googling for a while, but with no luck. Any help is highly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey man, it seems the search is using accelerate datamodels (first search). Please make sure the datamodel is accelerated. A good idea as well is to run the root search that populates the datamodel to make sure it is matching something. To find that search, click on Settings > Data Models > Open the above datamodel then copy the search that should be under Constraints and use it on a search. If it is not showing anything you either need to adjust your data or adjust the search that populates the datamodel.
About the lookup, it seems it was never populated. You have an option to build the the lookups on the App Configuration.
Hope that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey man, it seems the search is using accelerate datamodels (first search). Please make sure the datamodel is accelerated. A good idea as well is to run the root search that populates the datamodel to make sure it is matching something. To find that search, click on Settings > Data Models > Open the above datamodel then copy the search that should be under Constraints and use it on a search. If it is not showing anything you either need to adjust your data or adjust the search that populates the datamodel.
About the lookup, it seems it was never populated. You have an option to build the the lookups on the App Configuration.
Hope that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Accelerating the datamodel fixed the problem, thank you very much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For tstats count you need to use "where" not "from".
Try this:
| tstats summariesonly=true count where datamodel=modsecurity_alerts
An upvote would be appreciated and Accept Solution if it helps!
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
