I am using SPLUNK ES 5.3.1 version.I am trying to validate the existing datamodels(Total 32 including cim validation s.o.s) and finding answers for the points mentioned below:
Could you please help me how I shall be able to do this? TIA
Hello @Arpmjdr ,
One such app in Splunk to validate the Datemodel may be "Insight Analyzer" https://splunkbase.splunk.com/app/4618/.
Its DataModel Coverage section would give you immense information on the coverage of each Datamodels that you have.
if you are interested in the DM % complete over time you can create a search to get that data from the REST API endpoint and store it in a lookup I have done it like this:
Search to get the info from the API endpoint (runs every 5 min):
| rest /services/admin/summarization by_tstats=t splunk_server=local count=0 | eval datamodel=replace('summary.id',"DM_",""), datamodel=replace(datamodel,'eai:acl.app'."_",'eai:acl.app'."/"), _time=now(), complete='summary.complete'*100 | table _time datamodel complete | outputlookup dm_complete_info.csv append=t
Search to cleanup data older than 14 days from the lookup table (runs every day at midnight):
| inputlookup dm_complete_info.csv | eval oldest=now()-(14*86400) | where _time>oldest | table _time datamodel complete | outputlookup dm_complete_info.csv
Search to make a graph of the data:
| inputlookup dm_complete_info.csv | where _time>now()-(86400*7) | chart values(complete) AS complete over _time by datamodel useother=f usenull=f limit=0