Hello Splunk Community,

I hope this message finds you well. I'm currently working on enhancing my workflow in the Search and Reporting app, specifically when using the datamodel command. I'm looking to streamline the process of adding fields to my search through simple clicks within the app.

e.g.: | datamodel summariesonly=t allow_old_summaries=t Windows search | search All_WinEvents.src_user="windows_user" All_WinEvents.EventCode="5140"
and I'd like to extend it with All_WinEvents.action="success" but without typing it in but using the search and reporting app itself.

I've noticed that when I interactively add fields, the query tends to extend based on indexed fields rather than the datamodel fields. My goal is to understand if there's a way to make this process more datamodel-centric.

Is there a way to configure or adjust settings so that when I click to add fields in the Search and Reporting app, it extends the query based on the datamodel command rather than defaulting to indexed fields?

e.g result.: | datamodel summariesonly=t allow_old_summaries=t Windows search | search All_WinEvents.src_user="windows_user" All_WinEvents.EventCode="5140"  All_WinEvents.action="success"

Any insights, tips, or guidance on achieving this would be highly appreciated. Thank you in advance for your assistance!

Best regards,