Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How come our data models are only displaying CIM fields and not the raw fields of the source type?

anaidu_splunk
Splunk Employee
Splunk Employee
‎12-19-2018 10:01 PM

Description:
Data models are not showing the raw fields of the source type. They only display the CIM fields.

Goal:
To display the related source type fields not included in the CIM model.

After upgrading the Splunk Enterprise search head from 6.6.x to 7.1.x, the data models are not displaying the raw fields extracted with the source type. Instead, they are only displaying the fields associated with the respective data models.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mbadhusha_splun
Splunk Employee
Splunk Employee
‎12-19-2018 10:21 PM

Looks like the data model searches now only use fields that have been defined within the data model.

When you upgrade to version 7.1 of Splunk Enterprise, data model searches can only use field names that have been defined within the data model. Splunk Enterprise no longer automatically extracts field names.

Additionally, if you have a data model search that references an automatically extracted field name that contains whitespace, you must work around the fact that data models do not allow field names that contain whitespace.

This has been changed from Splunk 7.1 due to which the datamodels no longer displays the fields extracted from the sourcetype.

REF:

http://docs.splunk.com/Documentation/Splunk/7.1.3/Installation/AboutupgradingREADTHISFIRST#Data_mode...

To get the automatic extracts field names, you would have to manually define in the data model. Please refer the below doc for your reference.

REF:

http://docs.splunk.com/Documentation/Splunk/7.1.3/Knowledge/Definedatamodelattributes

Hope the above helps.

View solution in original post

Reply
Solved! Jump to solution
Solution

mbadhusha_splun
Splunk Employee
Splunk Employee
‎12-19-2018 10:21 PM

Looks like the data model searches now only use fields that have been defined within the data model.

When you upgrade to version 7.1 of Splunk Enterprise, data model searches can only use field names that have been defined within the data model. Splunk Enterprise no longer automatically extracts field names.

Additionally, if you have a data model search that references an automatically extracted field name that contains whitespace, you must work around the fact that data models do not allow field names that contain whitespace.

This has been changed from Splunk 7.1 due to which the datamodels no longer displays the fields extracted from the sourcetype.

REF:

http://docs.splunk.com/Documentation/Splunk/7.1.3/Installation/AboutupgradingREADTHISFIRST#Data_mode...

To get the automatic extracts field names, you would have to manually define in the data model. Please refer the below doc for your reference.

REF:

http://docs.splunk.com/Documentation/Splunk/7.1.3/Knowledge/Definedatamodelattributes

Hope the above helps.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...