All Apps and Add-ons

tstat and stat commands do not return any result

vtsco
New Member

I use Splunk v7.2 on a Windows server. I have installed some add-ons and apps. The problem is that any query that uses stat or tstat does not return any result (they just return 0).

For example, this is a query from Modsecurity's app:

| tstats summariesonly=true count from datamodel=modsecurity_alerts

I believe I have installed the app correctly.

In addition to that, some of the queries from Splunk app for Windows infrastructure also don't work, this is one of them:

| inputlookup windows_event_system | dedup Host | stats count

I have been googling for a while, but with no luck. Any help is highly appreciated.

0 Karma
1 Solution

gfreitas
Builder

Hey man, it seems the search is using accelerate datamodels (first search). Please make sure the datamodel is accelerated. A good idea as well is to run the root search that populates the datamodel to make sure it is matching something. To find that search, click on Settings > Data Models > Open the above datamodel then copy the search that should be under Constraints and use it on a search. If it is not showing anything you either need to adjust your data or adjust the search that populates the datamodel.

About the lookup, it seems it was never populated. You have an option to build the the lookups on the App Configuration.

Hope that helps.

View solution in original post

0 Karma

gfreitas
Builder

Hey man, it seems the search is using accelerate datamodels (first search). Please make sure the datamodel is accelerated. A good idea as well is to run the root search that populates the datamodel to make sure it is matching something. To find that search, click on Settings > Data Models > Open the above datamodel then copy the search that should be under Constraints and use it on a search. If it is not showing anything you either need to adjust your data or adjust the search that populates the datamodel.

About the lookup, it seems it was never populated. You have an option to build the the lookups on the App Configuration.

Hope that helps.

0 Karma

vtsco
New Member

Accelerating the datamodel fixed the problem, thank you very much!

0 Karma

codebuilder
SplunkTrust
SplunkTrust

For tstats count you need to use "where" not "from".

Try this:

 | tstats summariesonly=true count where datamodel=modsecurity_alerts
----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...