https://community.splunk.com/t5/Reporting/Splunk-DataModel-Unknown-Fields/m-p/446778#M7195 <P>it's works<BR /> Thank you :</P> Sun, 05 May 2019 12:52:04 GMT burakatabay 2019-05-05T12:52:04Z https://community.splunk.com/t5/Reporting/Splunk-DataModel-Unknown-Fields/m-p/446773#M7190 <P>Hi Splunkers,</P> <P>Is there a way to extract all unknown fields in a Data Model with a single query ?</P> <P>Have a good day :</P> Fri, 03 May 2019 18:47:47 GMT https://community.splunk.com/t5/Reporting/Splunk-DataModel-Unknown-Fields/m-p/446773#M7190 burakatabay 2019-05-03T18:47:47Z https://community.splunk.com/t5/Reporting/Splunk-DataModel-Unknown-Fields/m-p/446774#M7191 <P>Can you define what you mean by "unknown fields"? You set the fields in the data model when you create it. Here's a Splunk query that can pull everything from the json that it saves the data model under. It will show all of the fields that are present in the data model under the objects array:</P> <PRE><CODE>| rest splunk_server="local" "/servicesNS/-/-/data/models" | search title="datamodel_title" | table eai:data | spath input="eai:data" </CODE></PRE> <P>Is that what you are looking for?</P> Fri, 03 May 2019 20:43:41 GMT https://community.splunk.com/t5/Reporting/Splunk-DataModel-Unknown-Fields/m-p/446774#M7191 dmarling 2019-05-03T20:43:41Z https://community.splunk.com/t5/Reporting/Splunk-DataModel-Unknown-Fields/m-p/446775#M7192 <P>Can you define what you mean by "unknown fields"? You set the fields in the data model when you create it. Here's a Splunk query that can pull everything from the json that it saves the data model under. It will show all of the fields that are present in the data model under the objects array:</P> <PRE><CODE>| rest splunk_server="local" "/servicesNS/-/-/data/models" | search title="datamodel_title" | table eai:data | spath input="eai:data" </CODE></PRE> <P>Is that what you are looking for?</P> Fri, 03 May 2019 20:43:41 GMT https://community.splunk.com/t5/Reporting/Splunk-DataModel-Unknown-Fields/m-p/446775#M7192 dmarling 2019-05-03T20:43:41Z https://community.splunk.com/t5/Reporting/Splunk-DataModel-Unknown-Fields/m-p/446776#M7193 <P>Sorry Not exactly.</P> <P>I want to see Splunk CIM Data Model -&gt; model -&gt; unknown fields </P> <P>For example : </P> <P>Endpoint.Processes Datamodel<BR /> process_id = OK<BR /> process_name = OK<BR /> process_exec = unknown<BR /> process_path = unknown </P> <P>how ı see all this unknown fields in one search ? </P> Wed, 30 Sep 2020 00:21:03 GMT https://community.splunk.com/t5/Reporting/Splunk-DataModel-Unknown-Fields/m-p/446776#M7193 burakatabay 2020-09-30T00:21:03Z https://community.splunk.com/t5/Reporting/Splunk-DataModel-Unknown-Fields/m-p/446777#M7194 <P>Like this:</P> <PRE><CODE>| from datamodel YourDataModelNameHere | fieldsummary | regex values = "\"value\":\"unknown\"" | table field </CODE></PRE> Sat, 04 May 2019 20:48:27 GMT https://community.splunk.com/t5/Reporting/Splunk-DataModel-Unknown-Fields/m-p/446777#M7194 woodcock 2019-05-04T20:48:27Z https://community.splunk.com/t5/Reporting/Splunk-DataModel-Unknown-Fields/m-p/446778#M7195 <P>it's works<BR /> Thank you :</P> Sun, 05 May 2019 12:52:04 GMT https://community.splunk.com/t5/Reporting/Splunk-DataModel-Unknown-Fields/m-p/446778#M7195 burakatabay 2019-05-05T12:52:04Z https://community.splunk.com/t5/Reporting/Splunk-DataModel-Unknown-Fields/m-p/521511#M8464 <P><SPAN>Try This...<BR /><BR />| datamodel&nbsp;</SPAN><STRONG>data_model_name</STRONG><SPAN>&nbsp;</SPAN><STRONG>root_object_name</STRONG><SPAN>&nbsp;search | table _time, sourcetype,&nbsp;</SPAN><STRONG>root_object_name.*</STRONG></P><P>Example: | datamodel Network_Traffic All_Traffic search| search&nbsp;All_Traffic.*="unknown" | dedup sourcetype | table _time, sourcetype, All_Traffic.*</P> Fri, 25 Sep 2020 16:22:43 GMT https://community.splunk.com/t5/Reporting/Splunk-DataModel-Unknown-Fields/m-p/521511#M8464 VSIRIS 2020-09-25T16:22:43Z