https://community.splunk.com/t5/Splunk-Enterprise-Security/Query-on-Data-models/m-p/491512#M8354 <P>HI Team,<BR /> I have query regarding Data models base search</P> <P>| multisearch [| from datamodel:Endpoint.Filesystem | search tag="change" ] [| from datamodel:Endpoint.Registry | search tag="change" ] [| from datamodel:Change.Endpoint_Changes | search ] | head 100</P> <P>Above is the query for "Recent Endpoint Changes" in Endpoint Changes Dashboard (Splunk Enterprise Security (Endpoint Security Domain))</P> <P>Now query refers to Endpoint.Filesystem data model. This data model includes <CODE>cim_Endpoint_indexes</CODE> macros which refers to index=crowstrike in my environment and 2 tags as tag=filesystem and tag=endpoint. These tags are filled with eventtypes where sourcetypes are specified. Now one of the eventtype refers to sourcetype as aws:cloudtrail. </P> <P>And whatever result i am getting for above query is related to aws:cloudtrail only. </P> <P>Now my understanding is when you are referring to data model in your query then it should gives you results from specified index and in this case index=crowdstrike sourcetype=aws:cloudtrail is invalid but still above search is populating results in dashboard</P> <P>In short data models base search is not fulfilling the specified fields but still results are getting populated</P> <P>Could you please correct my understandings.</P> Sun, 26 Jan 2020 14:11:18 GMT xoriantkbisht 2020-01-26T14:11:18Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Query-on-Data-models/m-p/491512#M8354 <P>HI Team,<BR /> I have query regarding Data models base search</P> <P>| multisearch [| from datamodel:Endpoint.Filesystem | search tag="change" ] [| from datamodel:Endpoint.Registry | search tag="change" ] [| from datamodel:Change.Endpoint_Changes | search ] | head 100</P> <P>Above is the query for "Recent Endpoint Changes" in Endpoint Changes Dashboard (Splunk Enterprise Security (Endpoint Security Domain))</P> <P>Now query refers to Endpoint.Filesystem data model. This data model includes <CODE>cim_Endpoint_indexes</CODE> macros which refers to index=crowstrike in my environment and 2 tags as tag=filesystem and tag=endpoint. These tags are filled with eventtypes where sourcetypes are specified. Now one of the eventtype refers to sourcetype as aws:cloudtrail. </P> <P>And whatever result i am getting for above query is related to aws:cloudtrail only. </P> <P>Now my understanding is when you are referring to data model in your query then it should gives you results from specified index and in this case index=crowdstrike sourcetype=aws:cloudtrail is invalid but still above search is populating results in dashboard</P> <P>In short data models base search is not fulfilling the specified fields but still results are getting populated</P> <P>Could you please correct my understandings.</P> Sun, 26 Jan 2020 14:11:18 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Query-on-Data-models/m-p/491512#M8354 xoriantkbisht 2020-01-26T14:11:18Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Query-on-Data-models/m-p/491513#M8355 <P>Datamodels can contain data from multiple indexes. They're not restricted to a single index or sourcetype.</P> <P>You can easily find all the indexes and sourcetypes associated with a given datamodel with the following:</P> <PRE><CODE>| tstats count from datamodel=your_datamodel_name by index, sourcetype </CODE></PRE> Fri, 07 Feb 2020 18:20:04 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Query-on-Data-models/m-p/491513#M8355 codebuilder 2020-02-07T18:20:04Z