Currently, I have not changed anything. I am just asking if I am adding some events through eval expression & then rebuild data model then is it possible of losing data(logs) from buckets?

Or I can still search data through index?

The answer is YES, you can search anything on the index no matter what. Any change on DataModels won't ever affect any data in the indexes. The buckets _raw data are not modified when you rebuild a data model. So have no fear doing that, you won't lose any raw data.

What will happen if you rebuild a DM is exactly what it says: you will get a new DM with the new things you set it up with, which will eventually be different from what you had (but I believe this is what you want)

Let me know if you are cleared up.

thanks @tiagofbmm. I got the answer.

Adding one more query. I have huge data of firewall. So if I am create simple data model on ad-hoc search head than if I am running simple search without use of data model than it can run fast due to existing of data model?

The DataModel are used to standardize different kinds of data that match the same "type". If you have data from different firewall Products, then a DataModel will be very helpful in your searches because they you will be able to search in that DM all the Firewall data from the different vendors in one shot.

But the real big thing about the DataModels are the accelerations. They would make your searches on statistical results maybe a 1000x faster. That is the their major advantage.

If the answer clarifies your question, don't forget to accept

Again Thanks @tiagofbmm , I am not able to accept your answer. Maybe because it's comment section. Can you write something in answer section so maybe I got the option of acceptance?