Knowledge Management

Multi-value field definition for pivot (use of data model)

ayelet_morris
Engager

Hi All,

I'm trying to create data-model so I would be able to use the "Pivot" for all my fields.

I run into trouble defining my multi-value field, the Pivot doesn't allow it to be added to the table and I couldn't fix this.

I'm sending the data using JSON, my data model definition for this field looks like this:

        {
                "displayName": "Location Vehicle Pair", 
                "required": false, 
                "multivalue": true, 
                "comment": "", 
                "hidden": false,
                    "properties": {
                        "location-name": {"type": "string","displayName": "Location Name"},
                        "vehicle-type": {"type": "string","displayName": "Vehicle Type"}
                    },                  
                "fieldName": "location-vehicle-pair"
         }

An example of this field in the event:
"location-vehicle-pair": [{"location-name": "Paris","vehicle-type": "Bus"},{"location-name": "London","vehicle-type": "Train"}]

In props.conf file I defined:

FIELDALIAS-location-vehicle-pair-location-name=location-vehicle-pair{}.location-name as location-vehicle-pair-location-name
FIELDALIAS-location-vehicle-pair-vehicle-type=location-vehicle-pair{}.vehicle-type as location-vehicle-pair-vehicle-type

Which works for array fields and not for this, this: location-vehicle-pair{}.vehicle-type works in search but not here.

The other fields in this event are all single values or arrays, and they all work for me in the Pivot (arrays with use of props.conf file FIELDALIAS)
I would rather not use regex if possible.

Do anyone know what's the problem with my definitions?

Thanks!

0 Karma

Simon_Fishel
Splunk Employee
Splunk Employee

I'm not familiar with the "properties" key that you're using in your data model object field definition, but there are a couple of other ways you can do this:

1) If your field aliases from props.conf are working you should be able to use the Add Attribute -> Auto-Extracted flow in the data model editor UI to add those fields to the object.

2) If you don't want to rely on props.conf you can define those fields directly using an eval, use the Add Attribute -> Eval Expression flow in the data model editor UI, and enter spath(_raw, "location-vehicle-pair{}.location-name") for the body of the eval expression.

Hope that helps!

ayelet_morris
Engager

I tried the both solutions and got this error while trying to save on both of them:
In handler 'datamodeledit': Invalid field type.

Do you know what that means?

0 Karma

Simon_Fishel
Splunk Employee
Splunk Employee

Might be a typo in your data model JSON file (based on the original question, I'm assuming you've edited that file by hand). Make sure all of the fields have a "type" defined. The allowed values for type are: "string", "number", "boolean", or "ipv4".

By the way, you'll have to restart Splunk after editing the JSON file for the changes to take effect.

0 Karma

ayelet_morris
Engager

I have the part written above in my JSON definition file, but I tried to use the definitions you suggested via the GUI that was where I got this exception when saving, so I don't think I had a misspelling... I defined them both as Strings.

Should I remove the multi-value JSON definition before using this new definition?

0 Karma

Simon_Fishel
Splunk Employee
Splunk Employee

What I meant was if there is a typo in what's already in your data model JSON file, you can get errors trying to make changes to it through the UI. The definition of "location-vehicle-pair" above is missing a type, so you'll need to either add a type to it or remove the definition if you don't need it. If that doesn't fix the problem, take a look at any other parts of the JSON file that you've hand-edited in the past and make sure there aren't any missing or incorrect types.

0 Karma

ayelet_morris
Engager

OK, Thanks!
I managed to create 2 separate fields in my data model that each represent the "sub-fields" similar to this:

{
                 "displayName": "Location Name", 
                 "required": false, 
                 "multivalue": true, 
                 "comment": "", 
                 "hidden": false,
                 "type": "string"                 
                 "fieldName": "location-vehicle-pair.location-name"
}

I also left the field-aliases definitions in the props file.

looks like it is working now, but I'm not sure if this is correct - it is a multi-value field that I define in two separate fields, will this work properly with the pivot and searches? it has more than one value in some events.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...