Lognalytics Technology
Examine and search for data model records. Use the datamodel command in splunk to return JSON for all or a particular data model and its dataset. You can also search for a specified data model or a dataset within that data model.
A data model is a hierarchical search time mapping of semantic knowledge about one or more datasets. The data model encodes the domain knowledge needed to create various special searches for these records.
You can use the Find Data Model command to find an existing data model and its dataset through the search interface.
The datamodel command in splunk is a generating command and should be the first command in the search. The generate command uses the leading pipe character.
Syntax for datamodel command in splunk:
| datamodel [<data model name>] [<dataset name>] [<data model search mode>] [strict_fields=<bool>] [allow_old_summaries=<bool>] [summariesonly=<bool>]data model search mode options:
| Mode | Description |
|---|---|
|
search |
Returns the search results in the same format as they were entered. |
|
flat |
Returns the same results as the search, except the field names are stripped of their hierarchical information. |
|
acceleration_search |
Runs the search that is used by the search head to speed up the data model. This option is only available for root event and root search datasets that employ just streaming commands. |
Example:
Shows the datamodel in json format:
| datamodel waf_events_viewer
Use search to search for events:
| datamodel waf_events_viewer search
When we are using | datamodel <datamodel_name>, this will only show the datamodel in json format and shows all the information related to that datamodel i.e. datasets, objects etc.
When we are using | datamodel <datamodel_name> search, this shows the accelerated datamodel and will only show the fields that was defined while creating it, and other data from raw logs will be neglected and will never be indexed.
Also looking for more splunk commands ?
If you are still facing issue regarding datamodel command in splunk Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on social platforms, happy Splunking >
GIPHY App Key not set. Please check settings