Is it possible for additional fields to be extracted from a non-accelerated data model at search-time? Our ES "Malware" data model contains log events in json format. We are parsing/extracting these fields at index time but we do not explicitly include all of the fields within the data model. However, we would like to be able to extract or have the additional indexed fields available at the time of search.
| from datamodel:"Malware"."Malware_Attacks"
My understanding is that the "|from datamodel" command is inherently not accelerated. I realize we could add the extracted fields to the data model but that would also include the fields into the acceleration index for that data model which we do not want to do.
We recently upgraded Splunk Enterprise (6.6.3 to 7.1.2) and ES (4.7.4 to 5.1.0). We have a correlation search that was working prior to the upgrade using this data model and was dependent on additional fields to be extracted from the json. I'm not sure how but all of the json field extractions were previously available at search time even though they were not explicitly included in the data model (in fact we never even modified the Malware data model). Since the upgrade, this no longer works as the additional fields seem to no longer be available at search time. I've reviewed backup configuration files but have not been able to determine a reason for this change in behavior.
... View more