Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

In Data model, Root Transaction, why does Splunk need to rename my Root Event fields???

leonjxtan
Path Finder
‎06-23-2017 12:36 AM

Say if I have a DataModel1.RootEvent1 set up, with fields extracted:
- Extracted1
- Extracted2

then I adds a transaction data set DataModel1.RootTransaction1, with settings like maxspan=30, etc.

Then if I search:
|from datamodel:Datamodel1.RootTransaction1
The events return will not have "Extracted1" field, but only "RootTransaction1.Extracted1" field!

My question is: Splunk must have some use case to rename fields in the RootEvent data set. What is the use case?
If not, can this renaming behaviour just be removed?

Thanks.

Tags (1)
0 Karma
Reply

DMohn
Motivator
‎06-23-2017 01:42 AM

Hi @leonjxtan,

This is an expected behavior of Splunk, as you are not accessing your raw events anymore, but the aggregated datamodel events. Think of the datamodel as sort of a "virtual layer" between your raw data and the search layer. You are searching for the data within the data model, so the fields will be prefixed with the data model name.

If this is a problem, you can still use a rename command (or a macro) to remove the DM prefix from the field names:

rename "RootTransaction1.*" as *
0 Karma
Reply

leonjxtan
Path Finder
‎06-23-2017 01:45 AM

It just bugs me that this is not behavior for "Root Event", but only "Root Transaction". Both are Data Model data sets.

Behavior is not consistent without obvious reasons behind.

0 Karma
Reply

DMohn
Motivator
‎06-23-2017 01:54 AM

You have to differenciate between event fields, that are present even before the data model aggregation is running (e.g. indexed extractions, "regular" field extractions) and fields that are created within the data model itself.

You are running a field calculation in the data model (the transaction), hence this will not be a raw event field, but a data model field.

So the behavior is not inconsistent, but expected - for the given reason.

0 Karma
Reply

leonjxtan
Path Finder
‎06-29-2017 02:03 AM

you advised the reason is to "differentiate between event fields" and Transaction fields.
Fine if that is the reason.
but in the transaction search, only "RootTransaction1.Extracted1" field exist and "Extracted1" field is gone. What is there to be differentiate against, please? I would say nothing to differentiate from, at least nothing on search consumer's point of view. So why bother renaming?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...