- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- Can we use data model in SPL query with out using ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While creating dashboard we can create panels/chart using tags , event types OR can use data model to search.. So which is better way and why?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well although the question is a bit vague, I would say that from a performance point of view, if you have DataModels and they are accelerated, then you'd get the best out of it. The benefits rely mainly on the fact that datamodels can be accelerated and your performance much better. Out of that aspect, there is no advantage of using one instead of another. Just use the one that helps you filter data the as soon as possible in the search query
The other great thing you may use is indexed fields, which can be searched with tstats in SPL much faster than search time created/extracted fields.
Lastly, if you are coming to search time extracted fields, either using tags or event types it is really up to your specific context. There is no reason to use one or the other besides the fastest path to filter events in your use case scenario.
Let me know if this is the approach you were expecting
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
-- Can we use data model in SPL query with out using pivot?
Sure, something like | datamodel Web Web search | fields Web*.
Pivot is an interface to the data model, but you can use the data model by yourself.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
okay.. but what i am asking is that..wt benefits we get if we are using datamodel in search rather than use macro or event types?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The benefits rely mainly on the fact that datamodels can be accelerated and your performance much better. Out of that aspect, there is no advantage of using one instead of another. Just use the one that helps you filter data the as soon as possible in the search query
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay...thanks.. got it..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you think it clarified you, please accept the answer for future references.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well although the question is a bit vague, I would say that from a performance point of view, if you have DataModels and they are accelerated, then you'd get the best out of it. The benefits rely mainly on the fact that datamodels can be accelerated and your performance much better. Out of that aspect, there is no advantage of using one instead of another. Just use the one that helps you filter data the as soon as possible in the search query
The other great thing you may use is indexed fields, which can be searched with tstats in SPL much faster than search time created/extracted fields.
Lastly, if you are coming to search time extracted fields, either using tags or event types it is really up to your specific context. There is no reason to use one or the other besides the fastest path to filter events in your use case scenario.
Let me know if this is the approach you were expecting
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
