Splunk Search

Why are the field names different when using |from datamodel instead of |datamodel in a search?

Splunk Employee
Splunk Employee

When I do a search with |from datamodel, the search results are the same as when I do a search with |datamodel, but the field names are different:

|from datamodel:Authentication.Successful_Authentication | table *
returns field names like src, dest, action

and
|datamodel Authentication Successful_Authentication search | table *
returns field names like Authentication.src, Authentication.dest, and Authentication.action.

Why are the field names different in the search results?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

The |from command flattens the data model hierarchy, so the field names are the same but are no longer prefaced by the hierarchical syntax like with the |datamodel command, so you get just dest or src instead of Authentication.dest or Authentication.src

View solution in original post

Splunk Employee
Splunk Employee

The |from command flattens the data model hierarchy, so the field names are the same but are no longer prefaced by the hierarchical syntax like with the |datamodel command, so you get just dest or src instead of Authentication.dest or Authentication.src

View solution in original post

Esteemed Legend

The |from command uses the datamodel constraints in regular search so you get them without the field names whereas the |datamodel command actually uses the full datamodel framework so you get the prefixes and other things.

Splunk Employee
Splunk Employee

(sorry I waited too long to answer my own question!)

0 Karma