Knowledge Management

Can we use data model in SPL query with out using pivot?

AmiHirani
Explorer

While creating dashboard we can create panels/chart using tags , event types OR can use data model to search.. So which is better way and why?

0 Karma
1 Solution

tiagofbmm
Influencer

Well although the question is a bit vague, I would say that from a performance point of view, if you have DataModels and they are accelerated, then you'd get the best out of it. The benefits rely mainly on the fact that datamodels can be accelerated and your performance much better. Out of that aspect, there is no advantage of using one instead of another. Just use the one that helps you filter data the as soon as possible in the search query

The other great thing you may use is indexed fields, which can be searched with tstats in SPL much faster than search time created/extracted fields.

Lastly, if you are coming to search time extracted fields, either using tags or event types it is really up to your specific context. There is no reason to use one or the other besides the fastest path to filter events in your use case scenario.

Let me know if this is the approach you were expecting

View solution in original post

0 Karma

ddrillic
Ultra Champion

-- Can we use data model in SPL query with out using pivot?
Sure, something like | datamodel Web Web search | fields Web*.

Pivot is an interface to the data model, but you can use the data model by yourself.

AmiHirani
Explorer

okay.. but what i am asking is that..wt benefits we get if we are using datamodel in search rather than use macro or event types?

0 Karma

tiagofbmm
Influencer

The benefits rely mainly on the fact that datamodels can be accelerated and your performance much better. Out of that aspect, there is no advantage of using one instead of another. Just use the one that helps you filter data the as soon as possible in the search query

AmiHirani
Explorer

Okay...thanks.. got it..

0 Karma

tiagofbmm
Influencer

If you think it clarified you, please accept the answer for future references.

0 Karma

tiagofbmm
Influencer

Well although the question is a bit vague, I would say that from a performance point of view, if you have DataModels and they are accelerated, then you'd get the best out of it. The benefits rely mainly on the fact that datamodels can be accelerated and your performance much better. Out of that aspect, there is no advantage of using one instead of another. Just use the one that helps you filter data the as soon as possible in the search query

The other great thing you may use is indexed fields, which can be searched with tstats in SPL much faster than search time created/extracted fields.

Lastly, if you are coming to search time extracted fields, either using tags or event types it is really up to your specific context. There is no reason to use one or the other besides the fastest path to filter events in your use case scenario.

Let me know if this is the approach you were expecting

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...