Solved: How to combine a search with a data model without ...

christopherwern · ‎10-12-2017

Hi experts,

I try to combine a normal search with a data model without the JOIN operator, because of the slow processing speed and the subsearch result limitation of 50.000 results per search.

I read in the .conf 2016 session by Nick Mealy (https://conf.splunk.com/files/2016/slides/let-stats-sort-them-out-building-complex-result-sets-that-...) that this not possible because the data model command is a generating command. 😞

Does anybody has a solution or face the same problem? I think it is really important to combine a data model and normal searches in a efficient way.

Kind regards,
Christopher

DalJeanis · ‎10-12-2017

There are a number of strategies. The top two are multisearch and append.

MULTISEARCH

| multisearch
    [ search with all streaming distributed commands]
    [ | datamodel search with all streaming distributed commands]
| rename COMMENT as "Commands that are not streaming go here and operate on both subsets."

APPEND

my first search 
| append [| my datamodel search ]
| rename COMMENT as "More commands that operate on both subsets."

View solution in original post

DalJeanis · ‎10-12-2017

There are a number of strategies. The top two are multisearch and append.

MULTISEARCH

| multisearch
    [ search with all streaming distributed commands]
    [ | datamodel search with all streaming distributed commands]
| rename COMMENT as "Commands that are not streaming go here and operate on both subsets."

APPEND

my first search 
| append [| my datamodel search ]
| rename COMMENT as "More commands that operate on both subsets."

How to combine a search with a data model without the JOIN operator?

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk

Modern way of developing distributed application using OTel