Knowledge Management

Can we use data model in SPL query with out using pivot?

Explorer

While creating dashboard we can create panels/chart using tags , event types OR can use data model to search.. So which is better way and why?

0 Karma
1 Solution

Influencer

Well although the question is a bit vague, I would say that from a performance point of view, if you have DataModels and they are accelerated, then you'd get the best out of it. The benefits rely mainly on the fact that datamodels can be accelerated and your performance much better. Out of that aspect, there is no advantage of using one instead of another. Just use the one that helps you filter data the as soon as possible in the search query

The other great thing you may use is indexed fields, which can be searched with tstats in SPL much faster than search time created/extracted fields.

Lastly, if you are coming to search time extracted fields, either using tags or event types it is really up to your specific context. There is no reason to use one or the other besides the fastest path to filter events in your use case scenario.

Let me know if this is the approach you were expecting

View solution in original post

0 Karma

Ultra Champion

-- Can we use data model in SPL query with out using pivot?
Sure, something like | datamodel Web Web search | fields Web*.

Pivot is an interface to the data model, but you can use the data model by yourself.

Explorer

okay.. but what i am asking is that..wt benefits we get if we are using datamodel in search rather than use macro or event types?

0 Karma

Influencer

The benefits rely mainly on the fact that datamodels can be accelerated and your performance much better. Out of that aspect, there is no advantage of using one instead of another. Just use the one that helps you filter data the as soon as possible in the search query

Explorer

Okay...thanks.. got it..

0 Karma

Influencer

If you think it clarified you, please accept the answer for future references.

0 Karma

Influencer

Well although the question is a bit vague, I would say that from a performance point of view, if you have DataModels and they are accelerated, then you'd get the best out of it. The benefits rely mainly on the fact that datamodels can be accelerated and your performance much better. Out of that aspect, there is no advantage of using one instead of another. Just use the one that helps you filter data the as soon as possible in the search query

The other great thing you may use is indexed fields, which can be searched with tstats in SPL much faster than search time created/extracted fields.

Lastly, if you are coming to search time extracted fields, either using tags or event types it is really up to your specific context. There is no reason to use one or the other besides the fastest path to filter events in your use case scenario.

Let me know if this is the approach you were expecting

View solution in original post

0 Karma