Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why Can't I use a datamodel backwards?

snoobzilla
Builder
‎08-25-2014 06:25 PM

Error in 'SearchParser': The datamodel command can only be used as the first command on a search

Ok... more of theoretical discussion here..

Why oh why can't I push events into a data model and see where it lands in the datamodel?

Datamodels look awesome for big picture analytics. However, I am trying to build tools to help classify individual events(errors) through lookups and such so that people at the support desk know exactly what they are looking at.

Essentially we build datamodels to put events into buckets... why can't I put an event through to see which bucket it lands in? If I could throw individual or a small set of events at the at a complex datamodel it would be ideal for this purpose. However it seems like to filter for say an individual username in a datamodel schema I have to run the entire datamodel OR add it to the data model as a constraint? Why can't I pipe into a data model?

Thoughts from fellow Splunkers? Would anyone else find this useful?

Tags (1)
0 Karma
Reply

Ayn
Legend
‎08-25-2014 11:57 PM

Not sure I follow your exact use-case. A datamodel is not a means of storage, it is a way of representing data already that already exists in your index. This model can then be used by at least pivot and tstats - you can add your filters there. Or, you can do it by adding new constraints in the model itself. I don't know what you mean by "running the whole model" - a regular search with a username constraint like "... username=foo" isn't looking at all the data in the timerange, it only grabs data which matches the constraint. It's the same with data models.

Perhaps if you elaborated a bit more on your exact use-case it would be possible to post a more meaningful response.

0 Karma
Reply

snoobzilla
Builder
‎08-26-2014 01:37 AM

Use case: Build a complex data model to bucket poorly standardized logs into meaningful buckets of distinct use cases for errors. Add a lookup of what it means. People at the service desk could use this info when they get a call. Build a form to allow them to do a search like...

username=foo earliest=now latest=-12h | datamodel complexdatamodel clienterrors search | fields _time username WhatThisMeans WhatToDoAboutIT WhenWillItBeFixed

They would know what we know without any expertise. Right now it looks like what I would have to do is run the entire datamodel and then search the results....

| datamodel complexdatamodel clienterrors search | fields _time username WhatThisMeans WhatToDoAboutIT WhenWillItBeFixed | search username=foo

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...