Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Searching The Web data using the Web data-mode...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Experts,
We tried to add the web data into the Web data model using the eventtypes and tags and I was successful in creating those to Normalize the data. I did the searched for the web data and saved it as eventtype in eventtypes.conf in Splunk_SA_CIM/local/ and then in the tags.conf gave a tag for that eventtype to match data to data model using the tag.
My question here is do i need to give the tag name as 'Web' (The name of the data model) or create a child and like 'proxy' and give the tag name as proxy ?.
The other question is I'm trying to test if the data is linked to the data model.
I used a search [|datamodel Web]
The result is as follows, It is showing the structure of the datamodel.
{ [-]
description: Web Data Model
displayName: Web
modelName: Web
objectNameList: [ [-]
Web
Proxy
zscaler
]
objectSummary: { [-]
Event-Based: 3
Search-Based: 0
Transaction-Based: 0
}
objects: [ [+]
]
}
Show as raw text
When I tried to search [|datamodel Web proxy search]
It is shown there is no result found.
Please help me giving the write tag in tags.conf to link data to the datamodel and searching the data using that datamodel
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Rakesh92,
When you assign tag to eventtype for Web datamodel you need to provide tag web because Web datamodel using (cim_Web_indexes) tag=web in Base search. If you want to search proxy data then you need to assign proxy tag as well to eventtype which you created.
Now when you search using splunk query |datamodel Web, it will give you datamodel structure only. When you want to search data from Web datamodel, you need to run query |datamodel Web Web search. After running this query if you will still not get any result then you need to check cim_Web_indexes macro to add/modify index list based on your requirement.
I hope this helps.
Thanks,
Harshil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Rakesh92,
When you assign tag to eventtype for Web datamodel you need to provide tag web because Web datamodel using (cim_Web_indexes) tag=web in Base search. If you want to search proxy data then you need to assign proxy tag as well to eventtype which you created.
Now when you search using splunk query |datamodel Web, it will give you datamodel structure only. When you want to search data from Web datamodel, you need to run query |datamodel Web Web search. After running this query if you will still not get any result then you need to check cim_Web_indexes macro to add/modify index list based on your requirement.
I hope this helps.
Thanks,
Harshil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Harshil,,
That really Helped, Actually the macro was empty that the reason I didn't see any data. Once I added the index to the macro that worked. Thanks A lot 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...
Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern
Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...
