Splunk Enterprise Security

How come our data models are only displaying CIM fields and not the raw fields of the source type?

anaidu_splunk
Splunk Employee
Splunk Employee

Description:
Data models are not showing the raw fields of the source type. They only display the CIM fields.

Goal:
To display the related source type fields not included in the CIM model.

After upgrading the Splunk Enterprise search head from 6.6.x to 7.1.x, the data models are not displaying the raw fields extracted with the source type. Instead, they are only displaying the fields associated with the respective data models.

0 Karma
1 Solution

mbadhusha_splun
Splunk Employee
Splunk Employee

Looks like the data model searches now only use fields that have been defined within the data model.

When you upgrade to version 7.1 of Splunk Enterprise, data model searches can only use field names that have been defined within the data model. Splunk Enterprise no longer automatically extracts field names.

Additionally, if you have a data model search that references an automatically extracted field name that contains whitespace, you must work around the fact that data models do not allow field names that contain whitespace.

This has been changed from Splunk 7.1 due to which the datamodels no longer displays the fields extracted from the sourcetype.

REF:

http://docs.splunk.com/Documentation/Splunk/7.1.3/Installation/AboutupgradingREADTHISFIRST#Data_mode...

To get the automatic extracts field names, you would have to manually define in the data model. Please refer the below doc for your reference.

REF:

http://docs.splunk.com/Documentation/Splunk/7.1.3/Knowledge/Definedatamodelattributes

Hope the above helps.

View solution in original post

mbadhusha_splun
Splunk Employee
Splunk Employee

Looks like the data model searches now only use fields that have been defined within the data model.

When you upgrade to version 7.1 of Splunk Enterprise, data model searches can only use field names that have been defined within the data model. Splunk Enterprise no longer automatically extracts field names.

Additionally, if you have a data model search that references an automatically extracted field name that contains whitespace, you must work around the fact that data models do not allow field names that contain whitespace.

This has been changed from Splunk 7.1 due to which the datamodels no longer displays the fields extracted from the sourcetype.

REF:

http://docs.splunk.com/Documentation/Splunk/7.1.3/Installation/AboutupgradingREADTHISFIRST#Data_mode...

To get the automatic extracts field names, you would have to manually define in the data model. Please refer the below doc for your reference.

REF:

http://docs.splunk.com/Documentation/Splunk/7.1.3/Knowledge/Definedatamodelattributes

Hope the above helps.

Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...