topic data model field extraction in Splunk Enterprise

data model field extraction

khanlarloo — Tue, 20 Jul 2021 08:49:34 GMT

Hi,I have a dns log whose fields are not extracted properly and so I used Rex.

I encountered a problem. When i search index = dns * source = "516" host = dns -sender All fields are extracted correctly.

But when i search

| "from datamodel:" Network_Resolution

| search dns -sender

My fields get value of unknown.

Can anyone help me !!!!

Re: data model field extraction

venkatasri — Tue, 20 Jul 2021 10:34:07 GMT

Hi @khanlarloo

The fields extracted shall be normalized to fit into Data model that you are querying. You should have CIM app installed to Splunk SH prior and you need to create at a highlevel eventtypes, tags and props for normalization. The process is not straight forward.

This link help you to achieve then if everything is successful you can query the data model (DM) however the field names would be different from you originally extracted.

Use the CIM to normalize data at search time - Splunk Documentation

---

An upvote would be appreciated if this reply helps and Accept the solution!

Re: data model field extraction

khanlarloo — Sat, 31 Jul 2021 12:33:33 GMT

I did everything you said according to the link you sent, but there is still the same problem.