Splunk Enterprise Security

Are search-time extractions for non-accelerated data models possible?

Engager

Is it possible for additional fields to be extracted from a non-accelerated data model at search-time? Our ES "Malware" data model contains log events in json format. We are parsing/extracting these fields at index time but we do not explicitly include all of the fields within the data model. However, we would like to be able to extract or have the additional indexed fields available at the time of search.

| from datamodel:"Malware"."Malware_Attacks"

My understanding is that the "|from datamodel" command is inherently not accelerated. I realize we could add the extracted fields to the data model but that would also include the fields into the acceleration index for that data model which we do not want to do.

We recently upgraded Splunk Enterprise (6.6.3 to 7.1.2) and ES (4.7.4 to 5.1.0). We have a correlation search that was working prior to the upgrade using this data model and was dependent on additional fields to be extracted from the json. I'm not sure how but all of the json field extractions were previously available at search time even though they were not explicitly included in the data model (in fact we never even modified the Malware data model). Since the upgrade, this no longer works as the additional fields seem to no longer be available at search time. I've reviewed backup configuration files but have not been able to determine a reason for this change in behavior.

1 Solution

Explorer

Unfortunately this seems to be intended as of 7.1.

Here is some documentation that identifies this:
https://docs.splunk.com/Documentation/Splunk/7.2.4/Installation/AboutupgradingREADTHISFIRST#Data_mod...

View solution in original post

0 Karma

Explorer

Unfortunately this seems to be intended as of 7.1.

Here is some documentation that identifies this:
https://docs.splunk.com/Documentation/Splunk/7.2.4/Installation/AboutupgradingREADTHISFIRST#Data_mod...

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Hi @kbaldwin!

Thanks for posting! Sorry you haven't received any answers to your question. I'm sure help is on the way!

But, in the mean time,If you want to try to get some immediate help for your question, you should join the 5000+ Splunk users in our public Slack Community chat. People ask each other for immediate help on there daily. You can share your question/link to your post there to see if anyone can take a stab at it.

You first have to request access through https://splk.it/slack Fill out the form, and once you receive the approval email from our Community Manager (usually the approval process may take a couple days), you can access Slack.com and ask for help in the #general channel.

0 Karma