Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How come our data models are only displaying CIM fields and not the raw fields of the source type?

anaidu_splunk
Splunk Employee
Splunk Employee
‎12-19-2018 10:01 PM

Description:
Data models are not showing the raw fields of the source type. They only display the CIM fields.

Goal:
To display the related source type fields not included in the CIM model.

After upgrading the Splunk Enterprise search head from 6.6.x to 7.1.x, the data models are not displaying the raw fields extracted with the source type. Instead, they are only displaying the fields associated with the respective data models.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mbadhusha_splun
Splunk Employee
Splunk Employee
‎12-19-2018 10:21 PM

Looks like the data model searches now only use fields that have been defined within the data model.

When you upgrade to version 7.1 of Splunk Enterprise, data model searches can only use field names that have been defined within the data model. Splunk Enterprise no longer automatically extracts field names.

Additionally, if you have a data model search that references an automatically extracted field name that contains whitespace, you must work around the fact that data models do not allow field names that contain whitespace.

This has been changed from Splunk 7.1 due to which the datamodels no longer displays the fields extracted from the sourcetype.

REF:

http://docs.splunk.com/Documentation/Splunk/7.1.3/Installation/AboutupgradingREADTHISFIRST#Data_mode...

To get the automatic extracts field names, you would have to manually define in the data model. Please refer the below doc for your reference.

REF:

http://docs.splunk.com/Documentation/Splunk/7.1.3/Knowledge/Definedatamodelattributes

Hope the above helps.

View solution in original post

Reply
Solved! Jump to solution
Solution

mbadhusha_splun
Splunk Employee
Splunk Employee
‎12-19-2018 10:21 PM

Looks like the data model searches now only use fields that have been defined within the data model.

When you upgrade to version 7.1 of Splunk Enterprise, data model searches can only use field names that have been defined within the data model. Splunk Enterprise no longer automatically extracts field names.

Additionally, if you have a data model search that references an automatically extracted field name that contains whitespace, you must work around the fact that data models do not allow field names that contain whitespace.

This has been changed from Splunk 7.1 due to which the datamodels no longer displays the fields extracted from the sourcetype.

REF:

http://docs.splunk.com/Documentation/Splunk/7.1.3/Installation/AboutupgradingREADTHISFIRST#Data_mode...

To get the automatic extracts field names, you would have to manually define in the data model. Please refer the below doc for your reference.

REF:

http://docs.splunk.com/Documentation/Splunk/7.1.3/Knowledge/Definedatamodelattributes

Hope the above helps.

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...