Solved: Use "Data Model" definitions to extract fields in ...

FRoth · ‎10-05-2013

I've already created a lot of field extractions in my Data Model definition to create Pivot views.

Is there a way to apply these definitions as extractions in my app's search? Or do I have to define the same extractions again to create new fields in the search view?

jspears · ‎10-05-2013

There is a new search command, pivot, for using data model: http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Pivot

Or to use data model data with the usual reporting commands, you can use: http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Datamodel

View solution in original post

sowings · ‎10-07-2013

It seems that the field extractions written into the data model (the JSON which stores it) are stored just there, and not within the general props of the sourcetype. In order to "backfill", I might apply the regular expressions to the sourcetype with the Fields submenu of the manager. Note that if you start with the complete set of field extractions on the sourcetype before creating your data model, the model's "auto-extracted" field list should show all of the fields on the sourcetype (assuming the sample result set is large enough to tickle all of the extractions).

Personally, I'd do field extractions first, and then the data model. But I'm firmly rooted in Splunk 4.x, 5.x, etc. 🙂

jspears · ‎10-05-2013

There is a new search command, pivot, for using data model: http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Pivot

Or to use data model data with the usual reporting commands, you can use: http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Datamodel

Use "Data Model" definitions to extract fields in Search

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes