Splunk Enterprise Security

How come our data models are only displaying CIM fields and not the raw fields of the source type?

anaidu_splunk
Splunk Employee
Splunk Employee

Description:
Data models are not showing the raw fields of the source type. They only display the CIM fields.

Goal:
To display the related source type fields not included in the CIM model.

After upgrading the Splunk Enterprise search head from 6.6.x to 7.1.x, the data models are not displaying the raw fields extracted with the source type. Instead, they are only displaying the fields associated with the respective data models.

0 Karma
1 Solution

mbadhusha_splun
Splunk Employee
Splunk Employee

Looks like the data model searches now only use fields that have been defined within the data model.

When you upgrade to version 7.1 of Splunk Enterprise, data model searches can only use field names that have been defined within the data model. Splunk Enterprise no longer automatically extracts field names.

Additionally, if you have a data model search that references an automatically extracted field name that contains whitespace, you must work around the fact that data models do not allow field names that contain whitespace.

This has been changed from Splunk 7.1 due to which the datamodels no longer displays the fields extracted from the sourcetype.

REF:

http://docs.splunk.com/Documentation/Splunk/7.1.3/Installation/AboutupgradingREADTHISFIRST#Data_mode...

To get the automatic extracts field names, you would have to manually define in the data model. Please refer the below doc for your reference.

REF:

http://docs.splunk.com/Documentation/Splunk/7.1.3/Knowledge/Definedatamodelattributes

Hope the above helps.

View solution in original post

mbadhusha_splun
Splunk Employee
Splunk Employee

Looks like the data model searches now only use fields that have been defined within the data model.

When you upgrade to version 7.1 of Splunk Enterprise, data model searches can only use field names that have been defined within the data model. Splunk Enterprise no longer automatically extracts field names.

Additionally, if you have a data model search that references an automatically extracted field name that contains whitespace, you must work around the fact that data models do not allow field names that contain whitespace.

This has been changed from Splunk 7.1 due to which the datamodels no longer displays the fields extracted from the sourcetype.

REF:

http://docs.splunk.com/Documentation/Splunk/7.1.3/Installation/AboutupgradingREADTHISFIRST#Data_mode...

To get the automatic extracts field names, you would have to manually define in the data model. Please refer the below doc for your reference.

REF:

http://docs.splunk.com/Documentation/Splunk/7.1.3/Knowledge/Definedatamodelattributes

Hope the above helps.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...