Using the eval function, trying to add a new field to the Change data model. When I try to add the new field (ie. time_millis=_time), no results come back from my tstats query. When I perform the same tstats query using SPL, I am able to get proper values (ie. timestamp with milliseconds). Does anyone have suggestions on how to add new fields to an existing CIM data model? Thanks in advance for any advice.
It is usually a bad idea to aadd anything to one of the stock CIM DataModels. The reason is unlike normal Splunk configurations dadtamodels are stored as JSON files and do NOT benefit of the default/local merging.
So if you edit a DM you now have a full static copy in the local folder that overrides the one in default. So if the stock ones get updated you never see it. You are then in the business of hand adding every little change.
We usually recommend since you have to have a copy anyway make an actual different named copy. So you can not tamper with the stock ones and use your custom one as desired.
Thanks for your feedback. I will look at making a copy and using a custom DM. As for the purpose of adding the fields, can you suggest ways to ...
- Resolve timestamp issues (ie. _time not returning seconds/milliseconds)
- Return _raw as a field (to obtain extra fields/data beyond what the CIM data model offers)
There are numerous posts on converting timestamps to milliseconds, and formating the _time field (may involve changes to the sourcetype) so the actual syntax/solution will be based on your data set. Here is a good example of converting to milleseconds https://community.splunk.com/t5/Splunk-Search/TimeFormat-conversion-to-millisecond/m-p/212326
If you are looking to search on the _raw field, adding that to a data model is not advisable. One of its purposes of a data model is to reduce and consolidate the number of fields and size of events to a summary version so adding that field would directly contradict that purpose. I would recommend just using that field for your search or adding additional field extractions to the data and then adding the new fields to the custom DM.