Say if I have a DataModel1.RootEvent1 set up, with fields extracted:
- Extracted1
- Extracted2
then I adds a transaction data set DataModel1.RootTransaction1, with settings like maxspan=30, etc.
Then if I search:
|from datamodel:Datamodel1.RootTransaction1
The events return will not have "Extracted1" field, but only "RootTransaction1.Extracted1" field!
My question is: Splunk must have some use case to rename fields in the RootEvent data set. What is the use case?
If not, can this renaming behaviour just be removed?
Thanks.
Hi @leonjxtan,
This is an expected behavior of Splunk, as you are not accessing your raw events anymore, but the aggregated datamodel events. Think of the datamodel as sort of a "virtual layer" between your raw data and the search layer. You are searching for the data within the data model, so the fields will be prefixed with the data model name.
If this is a problem, you can still use a rename command (or a macro) to remove the DM prefix from the field names:
rename "RootTransaction1.*" as *
It just bugs me that this is not behavior for "Root Event", but only "Root Transaction". Both are Data Model data sets.
Behavior is not consistent without obvious reasons behind.
You have to differenciate between event fields, that are present even before the data model aggregation is running (e.g. indexed extractions, "regular" field extractions) and fields that are created within the data model itself.
You are running a field calculation in the data model (the transaction), hence this will not be a raw event field, but a data model field.
So the behavior is not inconsistent, but expected - for the given reason.
you advised the reason is to "differentiate between event fields" and Transaction fields.
Fine if that is the reason.
but in the transaction search, only "RootTransaction1.Extracted1" field exist and "Extracted1" field is gone. What is there to be differentiate against, please? I would say nothing to differentiate from, at least nothing on search consumer's point of view. So why bother renaming?