Hello,
1st off I hope everyone out there is staying safe an healthy. As a result of wahats going on I am being asked to do some stuff with Splunk that I am not too familiar with. I am a n00b when it comes to data models but i have successfully built a couple now and they are working (mostly) but I am having fairly specific problem when trying to search one of them. I have been searching and banging my head against the wall for a couple of days and I am hoping someone can help. So here's the deal...
If I run this search it works and genrates a table with the requested fields:
| datamodel Data_Mode_Name summariesonly=true search
| search src_ip=*
| table src_ip, src_port, src_zone, dest_ip, dest_port, dest_zone, action, acl, index
If I include a default_field like sourcetype or source or an internal_field like _time the search runs but the table come back blank. Here's an example of one that fails:
| datamodel Data_Mode_Name summariesonly=true search
| search src_ip=*
| table _time, src_ip, src_port, src_zone, dest_ip, dest_port, dest_zone, action, acl, index
I'm running Splunk Enterprise v7.14
I'm really hoping this is something simple that I am just missing. Any help would be greatly appreciated!
Cheers,
-Mark W.
... View more
