When you've got ES control, but have to file a ticket that will take months to respond to from a Splunk core admin team for data issues, sometimes you just do what you gotta do. 🙂 ... View more

Actually indextime has a WONDERFUL, very security relevant use case and that's for events with potentially delayed data. A great example is EDR data; if a user is off network for awhile and the agent can't report, when they do finally log on, their events may flow in with the proper timestamps for when the event occurred *however* because we are running our detections on our most recent events, detections will completely miss these. In almost every other case, I'd recommend normal _time. But _indextime is very useful for this usecase. Also can be handy with RBA so notables don't fire as events from the beginning of the time window roll off the detection window despite having already fired a notable and APPEAR unique but throttling can't account for; explained here - https://splunk.github.io/rba/searches/deduplicate_notables/#method-ii ... View more

Finding this much later and love it. I made some slight edits to include calculated fields (the mvfilter NOT match is for the sub-model names that start with capital letters and the is_/is_not_ stuff for each sub-model): | datamodel | rex field=_raw "\"modelName\"\s*\:\s*\"(?<modelName>[^\"]+)\"" | spath output=fieldList objects{}.calculations{}.outputFields{}.displayName | spath output=fieldList2 objects{}.fields{}.displayName | eval fieldList = mvappend(fieldList,fieldList2) | where modelName!="Splunk_CIM_Validation" | table modelName fieldList | eval fieldList = mvdedup(mvfilter(NOT match(fieldList,"is_.*|^[A-Z]")))  The check index/sourcetype is a handy addition. I also highly recommend Outpost's Data Model Mechanic for troubleshooting DMs. ... View more

The search looks solid but I feel like something is up with your coalesce. From this example, the same event will not have both "indexA_agentB" and "indexB_agentB" so a coalesce will not do anything. I think what you're trying to do is rename the field they share so that they are the same, and then your stats by that field will accurately show which comes from two sourcetypes. ... View more