Splunk® Enterprise

Search Reference

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

datamodel

Description

Examine and search data model datasets.

Use the datamodel command to return the JSON for all or a specified data model and its datasets. You can also search against the specified data model or a dataset within that datamodel.

A data model is a hierarchically-structured search-time mapping of semantic knowledge about one or more datasets. A data model encodes the domain knowledge necessary to build a variety of specialized searches of those datasets. For more information, see About data models and Design data models in the Knowledge Manager Manual.

The datamodel search command lets you search existing data models and their datasets from the search interface.

The datamodel command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.

Syntax

| datamodel [<data model name>] [<dataset name>] [<data model search mode>] [allow_old_summaries=<bool>] [summariesonly=<bool>]

Required arguments

None

Optional arguments

data model name
Syntax: <string>
Description: The name of the data model to search. When only the data model is specified, the search returns the JSON for the single data model.
dataset name
Syntax: <string>
Description: The name of a data model dataset to search. Must be specified after the data model name. The search returns the JSON for the single dataset.
data model search mode
Syntax: <data model search result mode> | <data model search string mode>
Description: You can use datamodel to run a search against a data model or a data model dataset that returns either results or a search string. If you want to do this, you must provide a <data model search mode>. There are two <data model search mode> subcategories: modes that return results and modes that return search strings. See <data model search mode> options.
allow_old_summaries
Syntax: allow_old_summaries=<bool>
Description: This argument applies only to accelerated data models. When you change the constraints that define a data model but the Splunk software has not fully updated the summaries to reflect that change, the summaries may have some data that matches the old definition and some data that matches the new definition. By default, allow_old_summaries = false, which means that the search head does not use summary directories that are older than the new summary definition. This ensures that the datamodel search results always reflect your current configuration. When you set allow_old_summaries = false, datamodel uses both current summary data and summary data that was generated prior to the definition change. You can set allow_old_summaries=true in your search if you feel that the old summary data is close enough to the new summary data that its results are reliable.
Default: false
summariesonly
Syntax: summariesonly=<bool>
Description: This argument applies only to accelerated data models. When set to false, the datamodel search returns both summarized and unsummarized data for the selected data model. When set to true, the search returns results only from the data that has been summarized in TSIDX format for the selected data model. You can use this argument to identify what data is currently summarized for a given data model, or to ensure that a particular data model search runs efficiently.
Default: false

<data model search mode> options

data model search result mode
Syntax: search | flat | acceleration_search
Description: The modes for running searches on a data model or data model dataset that return results.
Mode Description
search Returns the search results exactly how they are defined.
flat Returns the same results as the search, except that it strips the hierarchical information from the field names. For example, where search mode might return a field named dmdataset.server, the flat mode returns a field named server.
acceleration_search Runs the search that the search head uses to accelerate the data model. This mode works only on root event datasets and root search datasets that only use streaming commands.
data model search string mode
Syntax: search_string | flat_string | acceleration_search_string
Description: These modes return the strings for the searches that the Splunk software is actually running against the data model when it runs your SPL through the corresponding <data model search result mode>. For example, if you choose acceleration_search_string, the Splunk software returns the search string it would actually use against the data model when you run your SPL through acceleration_search mode.

Usage

The datamodel command is a report-generating command. See Command types.

Generating commands use a leading pipe character and should be the first command in a search.

Examples

1. Return the JSON for all data models

Return JSON for all data models available in the current app context.

| datamodel

This image shows the JSON for the built-in data models for the Search app.

2. Return the JSON for a specific datamodel

Return JSON for the Splunk's Internal Audit Logs - SAMPLE data model, which has the model ID internal_audit_logs.

| datamodel internal_audit_logs

This image shows the JSON for the internal audit logs, which is a built-in datamodel.

3. Return the JSON for a specific dataset

Return JSON for Buttercup Games's Client_errors dataset.

| datamodel Tutorial Client_errors

4. Run a search on a specific dataset

Run the search for Buttercup Games's Client_errors.

| datamodel Tutorial Client_errors search

5. Run a search on a dataset for specific criteria

Search Buttercup Games's Client_errors dataset for 404 errors and count the number of events.

| datamodel Tutorial Client_errors search | search Tutorial.status=404 | stats count

6. For an accelerated data model, reveal what data has been summarized over a selected time range

After the Tutorial data model is accelerated, this search uses the summariesonly argument in conjunction with timechart to reveal what data has been summarized for the Client_errors dataset over a selected time range.

| datamodel Tutorial summariesonly=true search | timechart span=1h count

See also

pivot

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has about using the datamodel command.

Last modified on 19 September, 2019
ctable   datamodelsimple

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters