Hi, I'm using splunk to provide some insights into our caching performance.
Across the entire set, I can easily do it by providing a constraint that will only match the cache hit/miss lines and extracting the "cacheresult" into the data model and graphing hits vs. misses.
That was easy. The harder part is how I do this for specific sets of transactions only.
i.e. I can do
sourcetype="gem" |transaction fields=request_id | search <transaction_type>
and this will give me only the transactions that match that transaction type
however, this can't be part of a constraint for data models, as data models can't have pipes, so I can't even build from there. Any idea on how to create a model from a subset of all transactions?
Here is a screenshot example, where my root event is
web, then I've made a transaction object to group the
web objects by
clientip, and lastly, added a child object to the transaction object to search for
transaction_type=foo, which in your case, could be whatever you need for ``:
And actually, data objects in data models can have pipes, however, they need to be search objects (which can include transforming commands). Please read more about the object types and their limitations / requirements here.
Please be aware that search objects and transaction objects do not benefit from data model acceleration.
I also have a situation where I want to relate a set of events together into a meta-event, then apply the CIM Authentication data model to that meta-event. It does not seem to be currently possible though.