Reporting
Highlighted

Is there a quick way to list all fields in a data model within Splunk?

Motivator

I've read about the pivot and datamodel commands. What I'm trying to do is run some sort of search in Splunk (rest perhaps) to pull out the fields defined in any loaded datamodel. I'm not trying to run a search against my data as seen through the eyes of any particular datamodel. In other words I'd like an output of something like

DataModel  Object    Fields
Web        Web       action, app, bytes, bytes_in, ...

I'm not as concerned about the exact formatting as much as the list of fields. You can run something like this but the description field is a bear to go through

| rest /servicesNS/-/-/datamodel/model | dedup title | table title description
Labels (1)
Highlighted

Re: Is there a quick way to list all fields in a data model within Splunk?

Splunk Employee
Splunk Employee

You could try something like this:

| rest /servicesNS/-/-/datamodel/model 
| fields displayName, tags_whitelist, description 
| mvexpand description 
| eval desription=replace(description,"'","\"") 
| rex field=description mode=sed "s/'/\"/g" 
| spath input=description 
| fields displayName, objects{}.constraints{}.search, objects{}.fields{}.displayName
0 Karma
Highlighted

Re: Is there a quick way to list all fields in a data model within Splunk?

Loves-to-Learn

I know this is an old thread but I came up with this. Its shows the datamodel name, the index and sourcetype that feeds that datamodel, and what fields are in that datamodel.

| datamodel 
| rex field=_raw "\"modelName\"\s*\:\s*\"(?<modelName>[^\"]+)\"" 
| spath output=fieldList objects{}.fields{}.displayName
| table modelName fieldList
| where modelName!="Splunk_CIM_Validation"
| table modelName fieldList
| map maxsearches=40 search="tstats `summariesonly` count from datamodel=$modelName$ by sourcetype,index | eval modelName=\"$modelName$\" | eval fieldList=\"$fieldList$\""
| stats values(fieldList) as fieldList values(index) as index, values(sourcetype) as sourcetype by modelName
0 Karma