Splunk Search

how can I tell if a data model is being used?

ilhwan
Path Finder

I have a distributed environment with 2 independent search heads.  I run the same search on both, and one shows a field that the other does not.  I can't figure out why.  I can't find any data models that mention the index or sourcetype I'm searching.  Is there a way to show me if a data model is being used in my search?

The logs are coming from an IBM i-series system using syslog through sc4s.

Labels (1)
0 Karma

JohnEGones
Communicator

Also, make sure that any tagging, eventtypes, and macros are also properly parallel. 

Data models can be tricky, there is alot of sometimes subtle things that need to be in place and configured correctly.


About tags and aliases - Splunk Documentation
Tag event types - Splunk Documentation
About event types - Splunk Documentation
Use search macros in searches - Splunk Documentation

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ilhwan ,

in addition tho the perfect answer of @richgalloway , I hint to compare (in structure and data) the Data Models on the two SH, because Data Models are usually located on SH, except if you forward them to an Indexer Cluster.

Ciao.

Giuseppe

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Two independent search heads may have separate sets of field extractions defined, which would explain why you don't see the same fields on each SH.  Use btool on each SH to view and compare the props and transforms settings.

If your query references a data model then that data model is used in your search; otherwise, no data model is used.

---
If this reply helps you, Karma would be appreciated.

ilhwan
Path Finder

Thank you for that suggestion.  Now I'm even more confused.  The events are coming in as sourcetype=cef, and there are a lot more differences than I would have expected, including what's in system/default...  I've got some digging to do.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...