Back to the Blog

Data Model Acceleration Enforcement

Posted by Kevin Chu on Tuesday, March 29, 2016 - 09:16 Operational Intelligence data model, acceleration, Enterprise Security, Splunk

Data Model Acceleration Enforcement

We have seen a few customers run into the following "gotcha" regarding data model acceleration.  Whether it be for temporary or permanent reasons, a user disables acceleration on a data model, which myesteriously is re-enabled after a restart.  To counter this, a feature called Data Model Acceleration Enforcement allows administrators to lock acceleration.  This feature is found under "Setting" > "Data Models."  Here’s how it works:

Through the user interface:

I will be using one of the default...

read more

Normalizing Data Fields using Eval and Case

Posted by Krishan Patel on Tuesday, October 13, 2015 - 09:15 Operational Intelligence Splunk, data model, windows, Mapping, Event Codes

BACKGROUND

Lately I’ve been working with a lot of Windows Security logs with different Event Codes. I wanted to set the field “src_user” but Splunk was auto-extracting field value pairs to other field names. This was particularly frustrating because I wanted to map events with different Event Codes to the same data model. In order to map different fields to “src_user,” I would need to normalize the different field names to “src_user.” Below, I go though an example using a case statement that worked perfectly and may be useful to others who come across a similar issue.

...
read more

Extending the Power of Pivot

Posted by Rupak Pandya on Thursday, October 16, 2014 - 15:01 Operational Intelligence Splunk 6, Splunk, data model, pivot, pivot editor, Dashboards, UI Customize

Data models were introduced with the release of Splunk 6 back in Oct of 2013. By now, Splunk users are aware of the pivot feature that allows them to build various types of reports that are fueled by data models without having to know the Splunk Search Processing Language (SPL). The Pivot Editor is a great way to build these reports, it allows users to simply point and click their way to creating reports/charts/graphs that provide great insight. This feature is great for users that only want to use the Pivot Editor to create their reports. However, you cannot add the Pivot Editor to a...

read more

Accelerated Data Models in a Distributed Splunk Environment

Posted by Rupak Pandya on Friday, January 31, 2014 - 14:37 Operational Intelligence, Best Practices acceleration, Best Practices, Big data, data model, Splunk, Splunk 6

Splunk v6.0.1 is packed with new features that enhance the user experience and can provide useful, lightning fast reports. For a full overview of the new features check out this link: Splunk 6!

One of the new features that provide users the ability to build exceptionally fast reports is data models. Users can use the structure provided by the data models to create pivot tables, all without knowing Splunk’s search language. Pivot users select the data model they are interested in, then point and click their...

read more
Stay In Touch