Knowledge Management

Multi-value field definition for pivot (use of data model)

ayelet_morris
Engager

Hi All,

I'm trying to create data-model so I would be able to use the "Pivot" for all my fields.

I run into trouble defining my multi-value field, the Pivot doesn't allow it to be added to the table and I couldn't fix this.

I'm sending the data using JSON, my data model definition for this field looks like this:

        {
                "displayName": "Location Vehicle Pair", 
                "required": false, 
                "multivalue": true, 
                "comment": "", 
                "hidden": false,
                    "properties": {
                        "location-name": {"type": "string","displayName": "Location Name"},
                        "vehicle-type": {"type": "string","displayName": "Vehicle Type"}
                    },                  
                "fieldName": "location-vehicle-pair"
         }

An example of this field in the event:
"location-vehicle-pair": [{"location-name": "Paris","vehicle-type": "Bus"},{"location-name": "London","vehicle-type": "Train"}]

In props.conf file I defined:

FIELDALIAS-location-vehicle-pair-location-name=location-vehicle-pair{}.location-name as location-vehicle-pair-location-name
FIELDALIAS-location-vehicle-pair-vehicle-type=location-vehicle-pair{}.vehicle-type as location-vehicle-pair-vehicle-type

Which works for array fields and not for this, this: location-vehicle-pair{}.vehicle-type works in search but not here.

The other fields in this event are all single values or arrays, and they all work for me in the Pivot (arrays with use of props.conf file FIELDALIAS)
I would rather not use regex if possible.

Do anyone know what's the problem with my definitions?

Thanks!

0 Karma

Simon_Fishel
Splunk Employee
Splunk Employee

I'm not familiar with the "properties" key that you're using in your data model object field definition, but there are a couple of other ways you can do this:

1) If your field aliases from props.conf are working you should be able to use the Add Attribute -> Auto-Extracted flow in the data model editor UI to add those fields to the object.

2) If you don't want to rely on props.conf you can define those fields directly using an eval, use the Add Attribute -> Eval Expression flow in the data model editor UI, and enter spath(_raw, "location-vehicle-pair{}.location-name") for the body of the eval expression.

Hope that helps!

ayelet_morris
Engager

I tried the both solutions and got this error while trying to save on both of them:
In handler 'datamodeledit': Invalid field type.

Do you know what that means?

0 Karma

Simon_Fishel
Splunk Employee
Splunk Employee

Might be a typo in your data model JSON file (based on the original question, I'm assuming you've edited that file by hand). Make sure all of the fields have a "type" defined. The allowed values for type are: "string", "number", "boolean", or "ipv4".

By the way, you'll have to restart Splunk after editing the JSON file for the changes to take effect.

0 Karma

ayelet_morris
Engager

I have the part written above in my JSON definition file, but I tried to use the definitions you suggested via the GUI that was where I got this exception when saving, so I don't think I had a misspelling... I defined them both as Strings.

Should I remove the multi-value JSON definition before using this new definition?

0 Karma

Simon_Fishel
Splunk Employee
Splunk Employee

What I meant was if there is a typo in what's already in your data model JSON file, you can get errors trying to make changes to it through the UI. The definition of "location-vehicle-pair" above is missing a type, so you'll need to either add a type to it or remove the definition if you don't need it. If that doesn't fix the problem, take a look at any other parts of the JSON file that you've hand-edited in the past and make sure there aren't any missing or incorrect types.

0 Karma

ayelet_morris
Engager

OK, Thanks!
I managed to create 2 separate fields in my data model that each represent the "sub-fields" similar to this:

{
                 "displayName": "Location Name", 
                 "required": false, 
                 "multivalue": true, 
                 "comment": "", 
                 "hidden": false,
                 "type": "string"                 
                 "fieldName": "location-vehicle-pair.location-name"
}

I also left the field-aliases definitions in the props file.

looks like it is working now, but I'm not sure if this is correct - it is a multi-value field that I define in two separate fields, will this work properly with the pivot and searches? it has more than one value in some events.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...