topic Re: How do I search using a data model? in Splunk Search

How do I search using a data model?

Mitchellsch — Wed, 20 Jan 2016 15:23:05 GMT

I've been working on a report that shows the dropped or blocked traffic using the interesting ports lookup table. I want to change this to search the network data model so I'm not using the * for my index. Any help on this would be great. Thanks.

index=* action="blocked" OR action="dropped"  [| inputlookup interesting_ports_lookup | fields dest_port] | table dest_port, dest_ip, src, app

Re: How do I search using a data model?

javiergn — Wed, 20 Jan 2016 15:28:13 GMT

Hi,

Take a look at the following two commands:

You can also search on accelerated data models by using the tstats command.

Hope that helps.

Thanks,
J

Re: How do I search using a data model?

somesoni2 — Wed, 20 Jan 2016 15:32:27 GMT

See the documentation to learn how to create data models

http://docs.splunk.com/Documentation/Splunk/6.0/PivotTutorial/Buildtutorialdatamodel

Re: How do I search using a data model?

Mitchellsch — Tue, 29 Sep 2020 08:29:07 GMT

I have my data model search here

| datamodel Network_Traffic All_Traffic search | table All_Traffic.action

I just want to know if I can combine the two searches.

Re: How do I search using a data model?

javiergn — Wed, 20 Jan 2016 15:51:24 GMT

Sorry I'm not sure what you meant there, some characters seem to be missing.
Can you post your searches again but using the Code format button?

You can combine both searches yes, but it all depends on what you are trying to achieve.
If you paste both searches and tell us what your goal is we might be able to help.

My guess based on your first comment is that you are trying to integrate datamodel with your lookup. Can you confirm this is the case? If so you can either build the lookup into your datamodel or pipe it in the same way as you would do with a normal lookup. Take a look at this:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Knowledge/Aboutdatamodels

Data models can get their fields from extractions that you set up in the Field Extractions section of Manager or by configured directly in props.conf and transforms.conf. When you define your data model, you can arrange to have it get additional fields at search time through regular-expression-based field extractions, lookups, and eval expressions.

Thanks,
J

Re: How do I search using a data model?

Mitchellsch — Wed, 20 Jan 2016 16:37:43 GMT

Yes I'm trying to integrate the network data model with my lookup table. I want to search our network data model that we have already setup.