Solved: Why are the field names different when using |from...

smoir_splunk · ‎12-01-2017

When I do a search with |from datamodel, the search results are the same as when I do a search with |datamodel, but the field names are different:

|from datamodel:Authentication.Successful_Authentication | table *
returns field names like src, dest, action

and
|datamodel Authentication Successful_Authentication search | table *
returns field names like Authentication.src, Authentication.dest, and Authentication.action.

Why are the field names different in the search results?

smoir_splunk · ‎12-01-2017

The |from command flattens the data model hierarchy, so the field names are the same but are no longer prefaced by the hierarchical syntax like with the |datamodel command, so you get just dest or src instead of Authentication.dest or Authentication.src

View solution in original post

smoir_splunk · ‎12-01-2017

The |from command flattens the data model hierarchy, so the field names are the same but are no longer prefaced by the hierarchical syntax like with the |datamodel command, so you get just dest or src instead of Authentication.dest or Authentication.src

woodcock · ‎12-01-2017

The |from command uses the datamodel constraints in regular search so you get them without the field names whereas the |datamodel command actually uses the full datamodel framework so you get the prefixes and other things.

smoir_splunk · ‎12-01-2017

(sorry I waited too long to answer my own question!)

Why are the field names different when using |from datamodel instead of |datamodel in a search?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms