Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why need index when create dataset in Datamodel in Splunk 7.3

longnh26
New Member
‎10-01-2019 07:39 PM

Now i using Splunk 7.3 and creating datamodel with search sourcetype but it's false ??
I try with splunk 7.2 and lower then Ok.

Please tell me why? and how to fix it?
alt text

Tags (1)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ivanreis
Builder
‎10-02-2019 12:37 AM

All the data ingested at Splunk have to be assigned to an index. Check if the index you are using on version 7.2 is the setup as default at Splunk role assigned to the user you are creating the datamodel. It is possible the index is setup as default for searching.
See below how you can check:
Please navigate to Splunk menu and select:

Settings/Roles and edit the particular role, and check if the index is setup as a default under Indexes tab. If so, then run the same procedure to version 7.3. If the index is not created or assigned to default, then create and setup the configuration.
The best practice is to specify the indexes when you are creating the reports/dashboards/datamodels, etc... to avoid performance issues when running on large environments. So my suggestion is to always use the index to identify your data.
E.g:

index=stream sourcetype=stream:http

alt text

View solution in original post

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

broberg
Communicator
‎10-02-2019 04:56 AM

You should always have a index specified in the datamodel even if its index=* so if you don't have any index anywere, that error seems to be correct.

0 Karma
Reply
Solved! Jump to solution

longnh26
New Member
‎10-03-2019 12:49 AM

because this index have many other data, then i think if use only sourcetype to increase performance.

0 Karma
Reply
Solved! Jump to solution

gfreitas
Builder
‎10-02-2019 04:56 AM

Maybe if you add index=* it works?

0 Karma
Reply
Solved! Jump to solution

longnh26
New Member
‎10-03-2019 12:50 AM

Yes, it's work. But this index have many other data, then i think if use only sourcetype to increase performance.

0 Karma
Reply
Solved! Jump to solution
Solution

ivanreis
Builder
‎10-02-2019 12:37 AM

All the data ingested at Splunk have to be assigned to an index. Check if the index you are using on version 7.2 is the setup as default at Splunk role assigned to the user you are creating the datamodel. It is possible the index is setup as default for searching.
See below how you can check:
Please navigate to Splunk menu and select:

Settings/Roles and edit the particular role, and check if the index is setup as a default under Indexes tab. If so, then run the same procedure to version 7.3. If the index is not created or assigned to default, then create and setup the configuration.
The best practice is to specify the indexes when you are creating the reports/dashboards/datamodels, etc... to avoid performance issues when running on large environments. So my suggestion is to always use the index to identify your data.
E.g:

index=stream sourcetype=stream:http

alt text

Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...