Hello,
I was curious to see if there are any best practices for mapping to CIM datamodels. More specifically, I'm looking for some guidelines on when (not) to map a certain field to a datamodel....
We are currently using a Splunk Enterprise environment with one search head and one indexer. We enabled datamodel acceleration because the performance of the search became poor as we used the s...
Sometimes in my Splunk Education I need repeating some things for myself.
Today it's DataModel.
I have used DataModel and so-so understand how it works, but I realized today that DataModel f...
...models.conf in deployer and push to SHC ?
Question 3 - What is the correct way to manage/update datamodels config in "Splunk_SA_CIM" app like adding indexes/enabling acceleration/adding removing f...
...efinecalcfields)
However, at the bottom of the datamodels page there is a message that says: "Calculated fields are processed in the order above, so ensure any dependent fields are defined first. Drag t...
Hi guys -
I have 3 datamodels, all accelerated, that I would like to join for a simple count of all events (dm1 + dm2 + dm3) by time.
3 single tstats searches works perfectly.
Search 1
| t...
Hello, I have been working on Splunk for a few months now, and we are using Splunk mainly for Cyber Security monitoring. I am wondering with regards to datamodel (CIM) should I create separate data...
...ourcetype, the calculated fields will appear.
But they are not "collected" by the DataModel as the aliases are...
I know calculations are done at search time, but so are aliases?!
Am I missing s...
Hello. I'm a Splunk newbie. There is confusion about setting up datamodel acceleration. According to the official documentation, if the data in your datamodel is out of date, Splunk will c...