Splunk Search

Calculated field in data model is not available in search

marting456
Explorer

I created a calculated field in my datamodel, freight_service_error_list_martin, called loggerPackage that is the extraction of the Java package of the logger. When I selected preview I saw this field was populated correctly and it also appears under CALCULATED when I view this datamodel.

However the calculated field does not appear when executing a search on this datamodel:

"|datamodel freight_service_error_list_martin search"

What am I doing wrong?

datamodel fieldsdatamodel fieldscalculated field missing in datamodel searchcalculated field missing in datamodel search

Labels (1)
0 Karma
1 Solution

marting456
Explorer

The issue here was that even though the calculated field was defined as loggerPackage in the data model, in the search it is available only as the variable in the regex. Since the regex was '(?<name>(.*))\.{1}' in search it is available as 'name' and not 'loggerPackage'. Changing the regex to '(?<loggerPackage>(.*))\.{1}' fixes the issue.

View solution in original post

0 Karma

thambisetty
SplunkTrust
SplunkTrust

@marting456 

I have thought that you created calculated field in events and the field is referred in datamodel.

cool, you fixed the issue.

————————————
If this helps, give a like below.
0 Karma

marting456
Explorer

The issue here was that even though the calculated field was defined as loggerPackage in the data model, in the search it is available only as the variable in the regex. Since the regex was '(?<name>(.*))\.{1}' in search it is available as 'name' and not 'loggerPackage'. Changing the regex to '(?<loggerPackage>(.*))\.{1}' fixes the issue.

0 Karma

thambisetty
SplunkTrust
SplunkTrust

can you run search

index=a245_freight_prod | search shakedown

and see if you are getting loggerPackage getting populated in fields. if not, there could be a something wrong in calculated field you have created in datamodel.

————————————
If this helps, give a like below.
0 Karma

marting456
Explorer

Not sure I understand. Why would a calculated field be available on a generic search? I defined loggerPackage in the data model. The generic search result has only 6 fields.

screenshot-splunk.qantas.com.au-2020.09.02-16_11_30.png

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...