Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Are search-time extractions for non-accelerated da...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible for additional fields to be extracted from a non-accelerated data model at search-time? Our ES "Malware" data model contains log events in json format. We are parsing/extracting these fields at index time but we do not explicitly include all of the fields within the data model. However, we would like to be able to extract or have the additional indexed fields available at the time of search.
| from datamodel:"Malware"."Malware_Attacks"
My understanding is that the "|from datamodel" command is inherently not accelerated. I realize we could add the extracted fields to the data model but that would also include the fields into the acceleration index for that data model which we do not want to do.
We recently upgraded Splunk Enterprise (6.6.3 to 7.1.2) and ES (4.7.4 to 5.1.0). We have a correlation search that was working prior to the upgrade using this data model and was dependent on additional fields to be extracted from the json. I'm not sure how but all of the json field extractions were previously available at search time even though they were not explicitly included in the data model (in fact we never even modified the Malware data model). Since the upgrade, this no longer works as the additional fields seem to no longer be available at search time. I've reviewed backup configuration files but have not been able to determine a reason for this change in behavior.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately this seems to be intended as of 7.1.
Here is some documentation that identifies this:
https://docs.splunk.com/Documentation/Splunk/7.2.4/Installation/AboutupgradingREADTHISFIRST#Data_mod...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately this seems to be intended as of 7.1.
Here is some documentation that identifies this:
https://docs.splunk.com/Documentation/Splunk/7.2.4/Installation/AboutupgradingREADTHISFIRST#Data_mod...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @kbaldwin!
Thanks for posting! Sorry you haven't received any answers to your question. I'm sure help is on the way!
But, in the mean time,If you want to try to get some immediate help for your question, you should join the 5000+ Splunk users in our public Slack Community chat. People ask each other for immediate help on there daily. You can share your question/link to your post there to see if anyone can take a stab at it.
You first have to request access through https://splk.it/slack Fill out the form, and once you receive the approval email from our Community Manager (usually the approval process may take a couple days), you can access Slack.com and ask for help in the #general channel.
Fastest way to demo Observability
September Community Champions: A Shoutout to Our Contributors!
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
