Splunk Search

How extract data model fields using REST search?

Runals
Motivator

I'm trying to at least initially to get a list of fields for each of the Splunk CIM data models by using a REST search. If anyone has any ideas on a better way to do this I'm all ears. I'm probably missing a nuance of JSON as it relates to being displayed 'flat' in the Splunk UI.

What I'm running into is different results almost every time I run it when I use stats. The following search should pull back at least most of the data related to the alerts CIM even if it isn't as usable as I'd like it (JSON newbie)

| rest /servicesNS/-/-/datamodel/model | search title=alerts | spath input=description | table *

The problem is when I run the following sometimes I get all the fields, sometimes, just a subset

| rest /servicesNS/-/-/datamodel/model | search title=alerts | spath input=description | stats values(*fields{}.displayName) by title

Sometimes I'll run the second query on a different model (say Web), get no results, run the first query (for Web), then run the second query again and get results - or get results if I change from last 60 minutes to last 24hrs. I would have thought being a rest call to essentially a config file that my results would be the same regardless. I've tried uploading pictures in the past and it didn't work. As an example I just ran the second search on alerts and get the following results for the values of objects{}.fields{}.displayName:

_time  
host  
id  
severity  
source  
sourcetype  
src  

When I do the table search from the first query I get the following for the same field

_time  
host  
source  
sourcetype  
id  
src  
severity  
severity_id  
subject  
body  
Alerts

Am stumped

Labels (1)

reed_kelly
Contributor

This isn't using a rest call, but how about the datamodel command:

|datamodel
|spath output=modelName path=modelName
|spath output=foo path=objects{}
|mvexpand foo
|spath input=foo output=objectName path=objectName
|spath input=foo output=foo path=fields{}
|mvexpand foo
|spath input=foo output=fieldName path=fieldName
|spath input=foo output=type path=type
|table modelName,objectName,fieldName,type

remiseguy
New Member

Hello, with version 9 this is a fromjson that makes the extraction easier

 

 

| datamodel
| spath output=datamodel path=modelName
| search datamodel!="Application_State" AND datamodel!="Change_Analysis" AND datamodel!="Splunk_CIM_Validation" AND datamodel!="Splunk_Audit" AND datamodel!="Identity_Management"
| spath output=object path=objects{}.objectName
| spath output=fields path=objects{}.fields{}
| eval n=mvcount(fields)
| sort 0 - n
| table n datamodel object fields
| mvexpand fields 
| table datamodel object fields
| fromjson fields
| fromjson comment
| fields - fields, comment
| sort 0 datamodel object fieldName
| stats values(*) as * by datamodel object fieldName

 

 

0 Karma

gabriel_vasseur
Contributor

This is awesome, I had no idea it was possible to do this! 🙂

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...