Hi,I have a dns log whose fields are not extracted properly and so I used Rex.
I encountered a problem. When i search index = dns * source = "516" host = dns -sender All fields are extracted correctly.
But when i search
| "from datamodel:" Network_Resolution
| search dns -sender
My fields get value of unknown.
Can anyone help me !!!!
Hi @khanlarloo
The fields extracted shall be normalized to fit into Data model that you are querying. You should have CIM app installed to Splunk SH prior and you need to create at a highlevel eventtypes, tags and props for normalization. The process is not straight forward.
This link help you to achieve then if everything is successful you can query the data model (DM) however the field names would be different from you originally extracted.
Use the CIM to normalize data at search time - Splunk Documentation
---
An upvote would be appreciated if this reply helps and Accept the solution!
I did everything you said according to the link you sent, but there is still the same problem.