Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Data Model - Explanation

AliMaher
Path Finder
‎07-04-2024 12:42 PM

Hi,

I hope all is well.

 

I have struggled with Data Model Concept as I seek to know why and When we use the data model and how it increases the performance?

I am fine with it's structured data and has three type of data sets, also I am able to create it as How To.

 

But why use it? When use it?  what is the main idea behind it?

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-04-2024 11:13 PM

Hi @AliMaher ,

in internet and on the YouTube Splunk Channel, you can find many videos or documents to describe what are Data Models and how and why use them, like the following:

https://www.youtube.com/watch?v=WBzKUYAfGsk

https://www.youtube.com/watch?v=n0HPe175k24

https://docs.splunk.com/Documentation/Splunk/9.2.1/Knowledge/Aboutdatamodels 

and so on ...

Anyway summarizing, aData Models is a database containing structured and normalized (this is the password of the concept!) data that you can use, only for structured searches (there's no sense to put _raw on the DMs!) to have faster searches.

This means that you have always to choose add-ons CIM compliant, and if you have custom add-ons, you have to normalize them.

then you can run your searches having very faster results.

Then You can have still faster results using DM Acceleration.

When to use DMs?

you should use DMs all the times that you have to perform a search on structured data, in other words when you have to perform a search "field=value" on normalized data.

You cannot use DMs if you have to run a search on free text (as usual in Splunk) or on not normalized data; in this second case, my hint is to normalize your data and use DMs.

DMs give you another advantage: you can run a search on very heterogeneous data on the same DM, e.g.: if you're searching for a failed login, you should run a search on many indexes with different contraints (e.g. 4625 in windows), instead you can run a search on a DM only using the correct one and you'll have the failed login for all the data you have.

Last information: identify the DMs that you need to use and accelerate them, but only the ones that you have to use to avoid to consume unuseful resources.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-06-2024 03:14 AM

One more thing because that's often overlooked when talking about DMs.

DMs as such don't accelerate anything. DMs are just an intermediate layer of logic making Splunk able to search different types of data in the same way so when you search from DM using DM fields constraints, Splunk "underneath" transforms your search into raw data search and lets you search possibly multiple separate indexes and sourcetypes without even knowing the real structure of the underlying data.

DM _acceleration_ however is a completely different beast. It's the machinery that's running under Splunk's hood and prepares this database of indexed datamodel contents so that you can search using those pre-built summaries instead of digging through the raw data itself.

So while the DMA requires properly ingested and configured data normalized for DMs, it's this "one step beyond" that gives you performance benefits. If you just have DMs which are not accelerated you might be able to search your data easier (and create pivots) but it will not give you any performance gains. It's the DM acceleration that makes Splunk go zzzzooooooom.

Reply
Solved! Jump to solution

AliMaher
Path Finder
‎07-05-2024 09:47 AM

Thanks for the great explanation, really appreciated!

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎07-06-2024 07:59 AM

Here is link to CIM (Splunk Common Information Model) https://docs.splunk.com/Documentation/CIM/latest/User/Overview. By following it you can easily utilize create only once dashboard / report etc. and just add a new data sources and then those will be shown there.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-06-2024 04:10 AM

Hi @AliMaher ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated also by the others contributors 😉

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-04-2024 11:13 PM

Hi @AliMaher ,

in internet and on the YouTube Splunk Channel, you can find many videos or documents to describe what are Data Models and how and why use them, like the following:

https://www.youtube.com/watch?v=WBzKUYAfGsk

https://www.youtube.com/watch?v=n0HPe175k24

https://docs.splunk.com/Documentation/Splunk/9.2.1/Knowledge/Aboutdatamodels 

and so on ...

Anyway summarizing, aData Models is a database containing structured and normalized (this is the password of the concept!) data that you can use, only for structured searches (there's no sense to put _raw on the DMs!) to have faster searches.

This means that you have always to choose add-ons CIM compliant, and if you have custom add-ons, you have to normalize them.

then you can run your searches having very faster results.

Then You can have still faster results using DM Acceleration.

When to use DMs?

you should use DMs all the times that you have to perform a search on structured data, in other words when you have to perform a search "field=value" on normalized data.

You cannot use DMs if you have to run a search on free text (as usual in Splunk) or on not normalized data; in this second case, my hint is to normalize your data and use DMs.

DMs give you another advantage: you can run a search on very heterogeneous data on the same DM, e.g.: if you're searching for a failed login, you should run a search on many indexes with different contraints (e.g. 4625 in windows), instead you can run a search on a DM only using the correct one and you'll have the failed login for all the data you have.

Last information: identify the DMs that you need to use and accelerate them, but only the ones that you have to use to avoid to consume unuseful resources.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...