Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How come our data models are only displaying CIM fields and not the raw fields of the source type?

anaidu_splunk
Splunk Employee
Splunk Employee
‎12-19-2018 10:01 PM

Description:
Data models are not showing the raw fields of the source type. They only display the CIM fields.

Goal:
To display the related source type fields not included in the CIM model.

After upgrading the Splunk Enterprise search head from 6.6.x to 7.1.x, the data models are not displaying the raw fields extracted with the source type. Instead, they are only displaying the fields associated with the respective data models.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mbadhusha_splun
Splunk Employee
Splunk Employee
‎12-19-2018 10:21 PM

Looks like the data model searches now only use fields that have been defined within the data model.

When you upgrade to version 7.1 of Splunk Enterprise, data model searches can only use field names that have been defined within the data model. Splunk Enterprise no longer automatically extracts field names.

Additionally, if you have a data model search that references an automatically extracted field name that contains whitespace, you must work around the fact that data models do not allow field names that contain whitespace.

This has been changed from Splunk 7.1 due to which the datamodels no longer displays the fields extracted from the sourcetype.

REF:

http://docs.splunk.com/Documentation/Splunk/7.1.3/Installation/AboutupgradingREADTHISFIRST#Data_mode...

To get the automatic extracts field names, you would have to manually define in the data model. Please refer the below doc for your reference.

REF:

http://docs.splunk.com/Documentation/Splunk/7.1.3/Knowledge/Definedatamodelattributes

Hope the above helps.

View solution in original post

Reply
Solved! Jump to solution
Solution

mbadhusha_splun
Splunk Employee
Splunk Employee
‎12-19-2018 10:21 PM

Looks like the data model searches now only use fields that have been defined within the data model.

When you upgrade to version 7.1 of Splunk Enterprise, data model searches can only use field names that have been defined within the data model. Splunk Enterprise no longer automatically extracts field names.

Additionally, if you have a data model search that references an automatically extracted field name that contains whitespace, you must work around the fact that data models do not allow field names that contain whitespace.

This has been changed from Splunk 7.1 due to which the datamodels no longer displays the fields extracted from the sourcetype.

REF:

http://docs.splunk.com/Documentation/Splunk/7.1.3/Installation/AboutupgradingREADTHISFIRST#Data_mode...

To get the automatic extracts field names, you would have to manually define in the data model. Please refer the below doc for your reference.

REF:

http://docs.splunk.com/Documentation/Splunk/7.1.3/Knowledge/Definedatamodelattributes

Hope the above helps.

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...