Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Are search-time extractions for non-accelerated data models possible?

kbaldwin
Engager
‎08-22-2018 02:55 PM

Is it possible for additional fields to be extracted from a non-accelerated data model at search-time? Our ES "Malware" data model contains log events in json format. We are parsing/extracting these fields at index time but we do not explicitly include all of the fields within the data model. However, we would like to be able to extract or have the additional indexed fields available at the time of search.

| from datamodel:"Malware"."Malware_Attacks"

My understanding is that the "|from datamodel" command is inherently not accelerated. I realize we could add the extracted fields to the data model but that would also include the fields into the acceleration index for that data model which we do not want to do.

We recently upgraded Splunk Enterprise (6.6.3 to 7.1.2) and ES (4.7.4 to 5.1.0). We have a correlation search that was working prior to the upgrade using this data model and was dependent on additional fields to be extracted from the json. I'm not sure how but all of the json field extractions were previously available at search time even though they were not explicitly included in the data model (in fact we never even modified the Malware data model). Since the upgrade, this no longer works as the additional fields seem to no longer be available at search time. I've reviewed backup configuration files but have not been able to determine a reason for this change in behavior.

Reply
1 Solution
Solved! Jump to solution
Solution

drutstein
Explorer
‎03-13-2019 04:28 PM

Unfortunately this seems to be intended as of 7.1.

Here is some documentation that identifies this:
https://docs.splunk.com/Documentation/Splunk/7.2.4/Installation/AboutupgradingREADTHISFIRST#Data_mod...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

drutstein
Explorer
‎03-13-2019 04:28 PM

Unfortunately this seems to be intended as of 7.1.

Here is some documentation that identifies this:
https://docs.splunk.com/Documentation/Splunk/7.2.4/Installation/AboutupgradingREADTHISFIRST#Data_mod...

0 Karma
Reply
Solved! Jump to solution

mstjohn_splunk
Splunk Employee
Splunk Employee
‎08-24-2018 04:19 PM

Hi @kbaldwin!

Thanks for posting! Sorry you haven't received any answers to your question. I'm sure help is on the way!

But, in the mean time,If you want to try to get some immediate help for your question, you should join the 5000+ Splunk users in our public Slack Community chat. People ask each other for immediate help on there daily. You can share your question/link to your post there to see if anyone can take a stab at it.

You first have to request access through https://splk.it/slack Fill out the form, and once you receive the approval email from our Community Manager (usually the approval process may take a couple days), you can access Slack.com and ask for help in the #general channel.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...