Using generating commands in a data model?

sowings · ‎10-07-2013

I've got a generating command that I want to use in a data model. What's the best way to get my field (attribute) list? Will I have to add them manually? Will this model be eligible for acceleration?

(In this case, it's dbinspect, with a well-structured (and repeatable) output. Would the same restrictions / caveats apply to something like | inputcsv?)

aneels_splunk · ‎10-09-2013

You can use a generating command as part of the search in a search-based object. Then you add the fields (or at least, the relevant subset) to that object using the "auto-extracted attributes" flow in the Data Model Builder. See the data model builder docs for information about extracting fields.

Search-based object aren't eligible for model-wide acceleration, but they do get ad-hoc acceleration when used via the Pivot interface. See this page in the docs for more info on how to take advantage of model-wide acceleration.

mattness · ‎10-09-2013

If you use a generating command in conjunction with a root search object you should be able to add the generated fields as auto-extracted attributes. You won't be able to accelerate the model if it only contains a root search object hierarchy, but "ad hoc" acceleration in Pivot--acceleration on the fly, meaning that pivot completion times improve as you rerun the pivot while in Pivot--will still work.

sowings · ‎10-09-2013

I have a base search of "| dbinspect index=*". When I attempt to add attributes, using the "Auto-extracted" set, I get a warning saying that the search command doesn't support field summary, and I don't have any fields to choose from. More hints?

Using generating commands in a data model?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life