Splunk Search

Use "Data Model" definitions to extract fields in Search

FRoth
Contributor

I've already created a lot of field extractions in my Data Model definition to create Pivot views.

Is there a way to apply these definitions as extractions in my app's search? Or do I have to define the same extractions again to create new fields in the search view?

1 Solution

jspears
Communicator

There is a new search command, pivot, for using data model: http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Pivot

Or to use data model data with the usual reporting commands, you can use: http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Datamodel

View solution in original post

sowings
Splunk Employee
Splunk Employee

It seems that the field extractions written into the data model (the JSON which stores it) are stored just there, and not within the general props of the sourcetype. In order to "backfill", I might apply the regular expressions to the sourcetype with the Fields submenu of the manager. Note that if you start with the complete set of field extractions on the sourcetype before creating your data model, the model's "auto-extracted" field list should show all of the fields on the sourcetype (assuming the sample result set is large enough to tickle all of the extractions).

Personally, I'd do field extractions first, and then the data model. But I'm firmly rooted in Splunk 4.x, 5.x, etc. 🙂

jspears
Communicator

There is a new search command, pivot, for using data model: http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Pivot

Or to use data model data with the usual reporting commands, you can use: http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Datamodel

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...