Reporting

What is the benefit of using saved searches vs data models?

leecj
Explorer

Apologies if I've missed something obvious,
assuming I don't use parameterized saved searches, what benefits are there using saved searches over data models? i.e. in what circumstances would I use the former?

I've contemplated using saved searches within my data models to gain the best of both worlds just in case. wondering if there are any downsides to that.

Tags (2)
0 Karma

koshyk
Super Champion

Datamodels are so much different from SavedSearches in concept and implementation

Use Datamodel, if you need
- hierarchy between your objects/datasets (eg you need Status codes, also you need error objects.. while error object is a child of Status-code etc..)
- If you want to map complex dataset in simplified form and expose to end-users
- If you want to make data common across multiple datasets and devices (eg CIM)
- If you want to accelerate and get data fast for certain fields
You can get more information from this document

SavedSearch on the other hand is pretty simple and is very useful if you just want scheduled, one-time reports and if end-user interaction is NOT required.

In short, use Datamodels when the data is complex and needs interaction.

0 Karma

leecj
Explorer

thanks for that, however just to clarify:
1. If I already have to build datamodels for reasons you've outlined above, there would be little value in creating a similar saved search. reusing it in my reports and ad hoc queries would suffice no?
2. if 'no' to (1) should I bother creating my datamodels from saved searches?
3. It still sounds like they serve similar purposes except to varying degrees. I liken them to views in the relational DB world. Is that a reasonable way to look at it?

0 Karma

koshyk
Super Champion
  1. If you put Common Information Model app (CIM), you will get quite a lot of datamodels which covers all type-of-data. I have rarely seen any more use of creating custom Datamodels unless there is an absolute need of it. The key point is "interaction" for end-user. If you want to remove the complexity from end-user it is a valid case of creating pivot/datamodel
  2. When you create datamodels, you put specific searches for your objects. It won't be a savedsearch, but normal search
  3. relationDB views is a good way to think Pivot (but datamodel is also similar). But you are right to look it like that. Datamodel is crucial for Enterprise Security, ITSI etc.
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...