I'm having issues with my datamodel-based dashboards after upgrading app to 6.0.1, and I think I've narrowed down the cause. Just to reiterate the troubleshooting steps for "Only 'Overview' or 'Real-time Event Feed' dashboard has data"
-Acceleration is enabled
-Data model is 100% built
-Increasing Time range to All time produces no additional
Here is an example dashboard search which is not populating results for me
=Search=
| tstats values(log.flags) AS log.flags, count FROM datamodel=pan_firewall WHERE nodename="log.url" """" log.action="" GROUPBY _time log.dest_name log.app:category log.app log.action log.content_type log.vendor_action | rename "log.action" as action, "log.app" as app, "log.app:category" as "app:category", "log.content_type" as content_type, "log.dest_name" as dest_name, "log.flags" as flags, "log.vendor_action" as vendor_action, "log." as "*"
=Error shown=
This search has completed and found 2,860,331 matching events in 19.376 seconds. However, the transforming commands in the highlighted portion of the following search:
generated no results. Possible solutions are to:
check the syntax of the commands
verify that the fields expected by the report commands are present in the events
When I manually run this search, to look at results from the datamodel. I am noticing the following missing fields
| datamodel pan_firewall search | search *
Missing from Datamodel -- present in Datamodel
log.dest_name -- dest_name
log.app:category -- raw_category
log.content_type -- ??
log.vendor_action -- vendor_action
log.flags -- flags
When I replace all the field names on the left (missing in datamodel) with their present version on the right, and re-run the dashboard search manually... Everything starts working again.
Example "Fixed" search...
| tstats values(log.flags) AS log.flags, count FROM datamodel=pan_firewall WHERE nodename="log.url" """" log.action="" GROUPBY _time dest_name raw_category log.app log.action vendor_action | rename "log.action" as action, "log.app" as app, "raw_category" as "app:category", "dest_name" as dest_name, "log." as "*"
Can someone please help me understand what is going on with the datamodel?
... View more