- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- In Data model, Root Transaction, why does Splunk n...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In Data model, Root Transaction, why does Splunk need to rename my Root Event fields???
Say if I have a DataModel1.RootEvent1 set up, with fields extracted:
- Extracted1
- Extracted2
then I adds a transaction data set DataModel1.RootTransaction1, with settings like maxspan=30, etc.
Then if I search:
|from datamodel:Datamodel1.RootTransaction1
The events return will not have "Extracted1" field, but only "RootTransaction1.Extracted1" field!
My question is: Splunk must have some use case to rename fields in the RootEvent data set. What is the use case?
If not, can this renaming behaviour just be removed?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @leonjxtan,
This is an expected behavior of Splunk, as you are not accessing your raw events anymore, but the aggregated datamodel events. Think of the datamodel as sort of a "virtual layer" between your raw data and the search layer. You are searching for the data within the data model, so the fields will be prefixed with the data model name.
If this is a problem, you can still use a rename command (or a macro) to remove the DM prefix from the field names:
rename "RootTransaction1.*" as *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It just bugs me that this is not behavior for "Root Event", but only "Root Transaction". Both are Data Model data sets.
Behavior is not consistent without obvious reasons behind.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have to differenciate between event fields, that are present even before the data model aggregation is running (e.g. indexed extractions, "regular" field extractions) and fields that are created within the data model itself.
You are running a field calculation in the data model (the transaction), hence this will not be a raw event field, but a data model field.
So the behavior is not inconsistent, but expected - for the given reason.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you advised the reason is to "differentiate between event fields" and Transaction fields.
Fine if that is the reason.
but in the transaction search, only "RootTransaction1.Extracted1" field exist and "Extracted1" field is gone. What is there to be differentiate against, please? I would say nothing to differentiate from, at least nothing on search consumer's point of view. So why bother renaming?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
