When I do a search with |from datamodel, the search results are the same as when I do a search with |datamodel, but the field names are different:
|from datamodel:Authentication.Successful_Authentication | table *
returns field names like src, dest, action
and
|datamodel Authentication Successful_Authentication search | table *
returns field names like Authentication.src, Authentication.dest, and Authentication.action.
Why are the field names different in the search results?
The |from
command flattens the data model hierarchy, so the field names are the same but are no longer prefaced by the hierarchical syntax like with the |datamodel
command, so you get just dest or src instead of Authentication.dest or Authentication.src
The |from
command flattens the data model hierarchy, so the field names are the same but are no longer prefaced by the hierarchical syntax like with the |datamodel
command, so you get just dest or src instead of Authentication.dest or Authentication.src
The |from
command uses the datamodel constraints in regular search so you get them without the field names whereas the |datamodel
command actually uses the full datamodel framework so you get the prefixes and other things.
(sorry I waited too long to answer my own question!)