Solved: datamodel command for multilevel data model child ...

rajim · ‎03-14-2018

I want to run datamodel command to fetch the results from a child dataset which is part of a datamodel as shown in the attached screenshot. I am using the below query. But unfortunately it's not returning error. Can anybody please help me write the correct query for multilevel child dataset.

| datamodel Windows_Security_Event_Management Windows_Security_Events Account_Management_Events search

Error message:
Error in 'datamodel' command: Invalid argument: 'search'

alt text

p_gurav · ‎03-17-2018

Hi,

Can you try :

 | datamodel Windows_Security_Event_Management Account_Management_Events search

View solution in original post

p_gurav · ‎03-17-2018

Hi,

Can you try :

 | datamodel Windows_Security_Event_Management Account_Management_Events search

rajim · ‎03-17-2018

Yes it's working. Thank you.

So we don't need to refer the parent datamodel. right?
Also if I have another child data model of Account_Management_Events, then also is it fine to refer that data model after the data model id?

p_gurav · ‎03-17-2018

Yes you can directly search after datamodel name, because according to documents datamodel command only take 1 dataset name. Refer this doc:
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Datamodel

rajim · ‎03-17-2018

Thank you...
I had seen that document. there is "[ ]" enclosing the data set in that document. So I thought there might be multiple datasets. Anyway, thank you for your answer.

datamodel command for multilevel data model child datasets

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application