The SA-cim-validator displays the recommended fields while the official documentation at Common Information Model Add-on Manual doesn't refers to them.
We wonder what they are and why the official documentation doesn't refer to them.
The upcoming version of the documentation does refer to it. I'll keep you posted 🙂
These are great news! What's the concept of the Recommended Fields? will correlated searches and ootb ES dashboards work when the datamodel have values just for the Recommended Fields?
Let me know if this helps: https://docs.splunk.com/Documentation/CIM/4.14.0/User/UsetheCIMtonormalizedataatsearchtime#a._Use_th...
That's great but I hit memory limits and only three recommended fields show. Is there a way to query against one datamodel?
What if you change the /services/data/models to the one you want, such as:
Thanks for the feedback! I'll add that nugget to the docs 🙂
Thank you @lkutch_splunk
Btw, the json refers to a required field attribute which is false throughout. Is it a placeholder field?
If you only want to see the true ones, you can add "search recommended=True" toward the end of the search:
... | search recommended=True | table model,object_name,field_name | sort model,object_name,field_name
Right, my question is about the concept of required fields that we see in the json document.