Splunk® Enterprise

Search Reference

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

datamodel

Description

Examine data model or data model dataset and search a data model dataset.

Use the datamodel command to return the JSON for all or a specified data model and its datasets. You can also search against the specified data model dataset.

A data model is a hierarchically-structured search-time mapping of semantic knowledge about one or more datasets. A data model encodes the domain knowledge necessary to build a variety of specialized searches of those datasets. These specialized searches are in turn used by the search to generate reports for Pivot users. For more information, see About data models and Design data models in the Knowledge Manager Manual.

The datamodel search command lets you search existing data models and their datasets from the search interface.

The datamodel command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.

Syntax

| datamodel [<data model name>] [<dataset name>] [<search>]

Required arguments

None

Optional arguments

data model name
Syntax: <string>
Description: The name of the data model to search. When only the data model is specified, the search returns the JSON for the single data model.
dataset name
Syntax: <string>
Description: The name of a data model dataset to search. Must be specified after the data model name. The search returns the JSON for the single dataset.
search
Syntax: <search>
Description: Indicates to run the search associated with the specified data model and object. For more information, see the search command.

Usage

The datamodel command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.

Examples

The following examples are created using data from the "Data Model and Pivot Tutorial".

Example 1:

Return JSON for all data models available in the current app context.

| datamodel

Datamodel command default.png

Example 2:

Return JSON for the "Buttercup Games" data model, which has the model ID "Tutorial".

| datamodel Tutorial

Datamodel command tutorialdata.png

Example 3:

Return JSON for Buttercup Games's Client_errors dataset.

| datamodel Tutorial Client_errors

Datamodel command tutorial object.png

Example 4:

Run the search for Buttercup Games's Client_errors.

| datamodel Tutorial Client_errors search

Example 5:

Search Buttercup Games's Client_errors dataset for 404 errors and count the number of events.

| datamodel Tutorial Client_errors search | search status=404 | stats count


See also

pivot

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has about using the datamodel command.

Last modified on 18 April, 2018
ctable   datamodelsimple

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters