DataModels
Create, query, update, and delete data models in Splunk.
Select
The adapter will use the Splunk API to process search criteria that refer to the Id column. This column supports server-side processing for the = operator. The adapter processes other filters client-side within the adapter.
For example, the following query is processed server side by the Splunk APIs:
SELECT * FROM DataModels WHERE Id = 'SampleModel'
Insert
The Id column is the minimum requirement for an insert. In an insert, the DataModels table allows only the Id and Acceleration columns.
INSERT INTO DataModels (Id, Acceleration) VALUES ('initialname', '{"enabled":false,"earliest_time":"","hunk.file_format":"","hunk.dfs_block_size":0,"hunk.compression_codec":""}' )
Update
The DataModels table allows updates for the Acceleration column when Id is specified. You can also set the Provisional pseudocolumn.
UPDATE DataModels SET Provisional = 'true', Acceleration = '{"enabled":false,"earliest_time": "-1mon", "cron_schedule": "0 */12 * * *","hunk.file_format":"","hunk.dfs_block_size":0,"hunk.compression_codec":""}' WHERE Id = 'initialname'
Delete
The DataModels table allows deleting a record when Id is specified.
DELETE FROM Datamodels WHERE Id = 'initialname'
Columns
| Name | Type | ReadOnly | References | Description |
| Id [KEY] | String | True |
Link of the data model. | |
| Disabled | Boolean | True |
Indicates if the data model is disabled/enabled. | |
| UpdatedAt | Datetime | True |
Datetime of the last update of the data model. | |
| Description | String | True |
Description of the data model. | |
| Name | String | False |
The name of the data model in Splunk. | |
| DisplayName | String | True |
The name displayed for the data model in Splunk. | |
| Author | String | True |
Splunk user who created the data model. | |
| App | String | True |
Splunk app where the data model is shared. | |
| Owner | String | True |
Splunk user who owns the data model. | |
| CanShareApp | Boolean | True |
Boolean indicating whether the data model can be shared in an app. | |
| CanShareGlobal | Boolean | True |
Boolean indicating whether the data model can be shared globally. | |
| CanShareUser | Boolean | True |
Boolean indicating whether the data model can be shared by the user. | |
| CanWrite | Boolean | True |
Boolean indicating whether the data model can be extended by the user. | |
| Modifiable | Boolean | True |
Boolean indicating whether the data model can be modified. | |
| Removable | Boolean | True |
Boolean indicating whether the data model can be removed. | |
| Acceleration | String | False |
Acceleration settings for the data model. Supply JSON to specify any or all of the following settings: enabled (true or false), earliest_time (time modifier), or cron_schedule (cron string). | |
| AccelerationAllowed | Boolean | True |
Boolean indicating that acceleration is allowed or not for the data model. | |
| AccelerationHunkCompression | String | True |
Specifies the compression codec to be used for the accelerated orc or parquet format files. | |
| DatasetCommands | String | True |
Data model commands. | |
| DatasetDescription | String | True |
The JSON describing the data model. | |
| DatasetCurrentCommand | Integer | True |
Current command of the data model. | |
| DatasetEarliestTime | Datetime | True |
Earliest time of data model events being processed. | |
| DatasetLatestTime | Datetime | True |
Latest time of data model events being processed. | |
| DatasetDiversity | String | True |
Diversity of events being processed. | |
| DatasetLimiting | Integer | True |
Limitations of events being processed. | |
| DatasetMode | String | True |
Search mode events being processed. | |
| DatasetSampleRatio | String | True |
Sample ratio of the data model. | |
| DatasetFields | String | True |
Indexed fields the data model has. | |
| DatasetType | String | True |
Dataset type. | |
| Type | String | True |
Data model type. | |
| Digest | String | True |
Content digest type. | |
| TagsWhitelist | String | True |
Whitelist of data model tags. | |
| ReadPermitions | String | True |
Permissions to read this data model. | |
| WritePermitions | String | True |
Permissions to write to this data model. | |
| Sharing | String | True |
Data model sharing type. | |
| Username | String | True |
Username of the Splunk user. |
Pseudo-Columns
Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.
| Name | Type | Description |
| Provisional | Boolean |
Indicates whether the data model is provisional. Provisional data models are not saved. Specify true to validate a data model before saving it. |