Adapter Online Help > TDV Splunk Adapter > Data Model > Tables
 
Tables
The adapter exposes tables for data sources that support both retrieving and updating data.
Generally, querying Splunk tables is the same as querying a table in a relational database. The following sections provide Splunk-specific information on querying the tables. For example, any columns required in the WHERE clause and fields required to insert.
Splunk Adapter Tables
Name
Description
DataModels
Create, query, update, and delete data models in Splunk.
Datasets
Create, query, update, and delete datasets in Splunk.
SearchJobs
Create, query, update, and delete search jobs in Splunk.
DataModels
Create, query, update, and delete data models in Splunk.
Select
The adapter will use the Splunk API to process search criteria that refer to the Id column. This column supports server-side processing for the = operator. The adapter processes other filters client-side within the adapter.
For example, the following query is processed server side by the Splunk APIs:
 
SELECT * FROM DataModels WHERE Id = 'SampleModel'
Insert
The Id column is the minimum requirement for an insert. In an insert, the DataModels table allows only the Id and Acceleration columns.
 
INSERT INTO DataModels (Id, Acceleration) VALUES ('initialname', '{"enabled":false,"earliest_time":"","hunk.file_format":"","hunk.dfs_block_size":0,"hunk.compression_codec":""}' )
Update
The DataModels table allows updates for the Acceleration column when Id is specified. You can also set the Provisional pseudocolumn.
 
UPDATE DataModels SET Provisional = 'true', Acceleration = '{"enabled":false,"earliest_time": "-1mon", "cron_schedule": "0 */12 * * *","hunk.file_format":"","hunk.dfs_block_size":0,"hunk.compression_codec":""}' WHERE Id = 'initialname'
Delete
The DataModels table allows deleting a record when Id is specified.
 
DELETE FROM Datamodels WHERE Id = 'initialname'
Columns
Name
Type
ReadOnly
References
Description
Id [KEY]
String
False
 
Id of the data model.
LinkId
String
True
 
Link of the data model.
Disabled
Boolean
True
 
Indicates if the data model is disabled/enabled.
UpdatedAt
Datetime
True
 
Datetime of the last update of the data model.
Description
String
True
 
Description of the data model.
Name
String
True
 
The name displayed for the data model in Splunk.
Author
String
True
 
Splunk user who created the data model.
App
String
True
 
Splunk app where the data model is shared.
Owner
String
True
 
Splunk user who owns the data model.
CanShareApp
Boolean
True
 
Boolean indicating whether the data model can be shared in an app.
CanShareGlobal
Boolean
True
 
Boolean indicating whether the data model can be shared globally.
CanShareUser
Boolean
True
 
Boolean indicating whether the data model can be shared by the user.
CanWrite
Boolean
True
 
Boolean indicating whether the data model can be extended by the user.
Modifiable
Boolean
True
 
Boolean indicating whether the data model can be modified.
Removable
Boolean
True
 
Boolean indicating whether the data model can be removed.
Acceleration
String
False
 
Acceleration settings for the data model. Supply JSON to specify any or all of the following settings: enabled (true or false), earliest_time (time modifier), or cron_schedule (cron string).
AccelerationAllowed
Boolean
True
 
Boolean indicating that acceleration is allowed or not for the data model.
AccelerationHunkCompression
String
True
 
Specifies the compression codec to be used for the accelerated orc or parquet format files.
DatasetCommands
String
True
 
Data model commands.
DatasetDescription
String
True
 
The JSON describing the data model.
DatasetCurrentCommand
Integer
True
 
Current command of the data model.
DatasetEarliestTime
Datetime
True
 
Earliest time of data model events being processed.
DatasetLatestTime
Datetime
True
 
Latest time of data model events being processed.
DatasetDiversity
String
True
 
Diversity of events being processed.
DatasetLimiting
Integer
True
 
Limitations of events being processed.
DatasetMode
String
True
 
Search mode events being processed.
DatasetSampleRatio
String
True
 
Sample ratio of the data model.
DatasetFields
String
True
 
Indexed fields the data model has.
DatasetType
String
True
 
Dataset type.
Type
String
True
 
Data model type.
Digest
String
True
 
Content digest type.
TagsWhitelist
String
True
 
Whitelist of data model tags.
ReadPermitions
String
True
 
Permissions to read this data model.
WritePermitions
String
True
 
Permissions to write to this data model.
Sharing
String
True
 
Data model sharing type.
Username
String
True
 
Username of the Splunk user.
Pseudo-Columns
Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.
 
Name
Type
Description
Provisional
Boolean
Indicates whether the data model is provisional. Provisional data models are not saved. Specify true to validate a data model before saving it.
Rows@Next
String
This is used to page through multiple pages of results and should not be set manually.
Datasets
Create, query, update, and delete datasets in Splunk.
Select
The Datasets table requires DataModelId in the WHERE clause. The DataModelId column supports server-side processing for the = operator. The adapter processes other search criteria client-side within the adapter.
 
SELECT * FROM DataSets WHERE DataModelId = 'SampleModel'
Insert
Splunk allows inserts only when DataModelId, ParentName, and ObjectName are all specified.
 
INSERT INTO [Datasets] (ObjectName, ParentName, DataModelId) VALUES ('SampleSet', 'BaseEvent','SampleModel')
Update
Whe Datasets table allows updates when DataModelId is specified. The columns that can be updated in this case are the following: Description and DisplayName.
When ObjectName is also specified, you can update the following columns: ObjectDisplayName, ParentName, Comment, Fields, Calculations, Constraints, Lineage, ObjectSearchNoFields, ObjectSearch, AutoextractSearch, PreviewSearch, AccelerationSearch, BaseSearch, and TsidxNamespace.
 
UPDATE Datasets SET Description = 'model description' , DisplayName = 'Model Display Name' WHERE DataModelId = 'SampleModel'
 
UPDATE Datasets SET ParentName = 'BaseEvent', BaseSearch = '| search (index=* OR index=_*) | fields _time, RootObject', AccelerationSearch = ' search (index=* OR index=_*) ' WHERE DataModelId = 'SampleModel' AND ObjectName = 'SampleSet'
Delete
Datasets can be deleted by providing the DataModelId and the ObjectName of the dataset.
 
DELETE FROM Datasets WHERE DataModelId = 'SampleModel' AND ObjectName = 'SampleSet'
Columns
Name
Type
ReadOnly
References
Description
ObjectName [KEY]
String
False
 
Name of the dataset object.
DatamodelId [KEY]
String
False
DataModels.Id
Id of the data model the object belongs to.
DisplayName
String
False
 
Name of the data model the object belongs to.
Description
String
False
 
Dataset description.
ObjectNameList
String
True
 
List of the objects in the data model.
ObjectDisplayName
String
False
 
Name displayed in Splunk for the object.
ParentName
String
False
 
Name of the Parent Event.
Comment
String
False
 
Dataset comments.
Fields
String
False
 
Dataset events indexed fields.
Calculations
String
False
 
Saved calculations for dataset fields.
Constraints
String
False
 
Saved constraints for dataset fields.
Lineage
String
False
 
Dataset lineage.
ObjectSearchNoFields
String
False
 
Object search query without fields.
ObjectSearch
String
False
 
Saved search query for the object.
AutoextractSearch
String
False
 
Search query for autoextraction.
PreviewSearch
String
False
 
Search preview query.
AccelerationSearch
String
False
 
Search query including acceleration.
BaseSearch
String
False
 
Basic search query.
TsidxNamespace
String
False
 
Allocated namespace.
EventBased
Integer
True
 
Number of Event-Based objects in the data model.
TransactionBased
Integer
True
 
Number of Transaction-Based objects in the data model.
SearchBased
Integer
True
 
Number of Search-Based objects in the data model.
Pseudo-Columns
Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.
 
Name
Type
Description
Rows@Next
String
This is used to page through multiple pages of results and should not be set manually.
SearchJobs
Create, query, update, and delete search jobs in Splunk.
Select
The adapter will use the Splunk APIs to process the search Id (Sid) criteria specified in the WHERE clause. The Sid column supports server-side processing for the = operator. The adapter processes other search criteria client-side within the adapter.
SELECT * FROM SearchJobs
SELECT * FROM SearchJobs WHERE Sid = '123456789.1234'
Insert
Splunk allows inserts only when EventSearch is specified. You can insert the Custom, EarliestTime, LatestTime, Label, and StatusBuckets columns and all pseudocolumns.
INSERT Into SearchJobs (Custom, EventSearch, LatestTime, Timeout) VALUES ('custom1=test1, custom2=test2', ' from datamodel SampleModel', 'now', '60')
Update
The SearchJobs table allows updates of the Custom column only when Sid is specified.
UPDATE SearchJobs SET Custom = 'custom1=test3, custom2=test4' WHERE sid = '123456789.1234'
Delete
SearchJobs can be deleted by providing the Sid.
DELETE FROM SearchJobs WHERE Sid = '123456789.1234'
Columns
Name
Type
ReadOnly
References
Description
Sid [KEY]
String
False
 
The search Id number.
EventSearch
String
False
 
Subset of the entire search that is before any transforming commands.
Custom
String
False
 
Custom job property. In an INSERT operation, pass the values as a comma-separated list of pairs of keys and values.
EarliestTime
String
False
 
The earliest time a search job is configured to start.
LatestTime
String
False
 
The latest time a search job is configured to start.
CursorTime
String
True
 
The earliest time from which no events are later scanned. Can be used to indicate progress.
Delegate
String
True
 
For saved searches, specifies jobs that were started by the user. Defaults to scheduler.
DiskUsage
Long
True
 
The total amount of disk space used, in bytes.
DispatchState
String
True
 
The state of the search. Can be any of QUEUED, PARSING, RUNNING, PAUSED, FINALIZING, FAILED, or DONE.
DoneProgress
Double
True
 
A number between 0 and 1.0 that indicates the approximate progress of the search. doneProgress = (latestTime-cursorTime) / (latestTime-earliestTime)
DropCount
Integer
True
 
For real-time searches only, the number of possible events that were dropped due to the rt_queue_size (defaults to 100000).
EventAvailableCount
Integer
True
 
The number of events that are available for export.
EventCount
Integer
True
 
The number of events returned by the search.
EventFieldCount
Integer
True
 
The number of fields found in the search results.
EventIsStreaming
Boolean
True
 
Indicates if the events of this search are being streamed.
EventIsTruncated
Boolean
True
 
Indicates if the events of the search are not stored, making them unavailable from the events endpoint for the search.
EventPreviewableCount
Integer
True
 
Number of in-memory events that are not yet committed to disk.
EventSorting
String
True
 
Indicates if the events of this search are sorted, and in which order.
IsDone
Boolean
True
 
Indicates if the search has completed.
IsEventsPreviewEnabled
String
True
 
Indicates if the timeline_events_preview setting is enabled in limits.conf.
IsFailed
Boolean
True
 
Indicates if there was a fatal error executing the search. For example, invalid search string syntax.
IsFinalized
Boolean
True
 
Indicates if the search was finalized (stopped before completion).
IsPaused
Boolean
True
 
Indicates if the search is paused.
IsPreviewEnabled
Boolean
True
 
Indicates if previews are enabled.
IsRealTimeSearch
Boolean
True
 
Indicates if the search is a real-time search.
IsRemoteTimeline
Boolean
True
 
Indicates if the remote timeline feature is enabled.
IsSaved
Boolean
True
 
Indicates that the search job is saved on disk. Search artifacts are saved on disk for 7 days from the last time that the job was viewed or touched.
IsSavedSearch
Boolean
True
 
Indicates if this is a saved search run using the scheduler.
IsZombie
Boolean
True
 
Indicates if the process running the search died without finishing the search.
Keywords
String
True
 
All positive keywords used by this search. A positive keyword is a keyword that is not in a NOT clause.
Label
String
False
 
Custom name created for this search.
Messages
String
True
 
Errors and debug messages.
NumPreviews
Integer
True
 
Number of previews generated so far for this search job.
Performance
String
True
 
A representation of the execution costs.
Priority
Integer
True
 
An integer between 0-10 that indicates the search priority.
RemoteSearch
String
True
 
The search string that is sent to every search peer.
ReportSearch
String
True
 
If reporting commands are used, the reporting search.
ResultCount
Integer
True
 
The total number of results returned by the search. In other words, this is the subset of scanned events (represented by the ScanCount) that actually matches the search terms.
ResultIsStreaming
Boolean
True
 
Indicates if the final results of the search are available using streaming (for example, no transforming operations).
ResultPreviewCount
Integer
True
 
The number of result rows in the latest preview results.
RunDuration
Decimal
True
 
Time in seconds that the search took to complete.
ScanCount
Integer
True
 
The number of events that are scanned or read off disk.
SearchEarliestTime
Datetime
True
 
Specifies the earliest time for a search, as specified in the search command rather than the EarliestTime parameter. It does not snap to the indexed data time bounds for all-time searches.
SearchLatestTime
Datetime
True
 
Specifies the latest time for a search, as specified in the search command rather than the LatestTime parameter. It does not snap to the indexed data time bounds for all-time searches.
SearchProviders
String
True
 
A list of all the search peers that were contacted.
StatusBuckets
Integer
False
 
Maximum number of timeline buckets.
TTL
String
True
 
The time to live, or the time before the search job expires after it completes.
Pseudo-Columns
Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.
 
Name
Type
Description
SearchMode
String
Searching mode, realtime or normal. If set to realtime, the search runs over the live data.
The allowed values are normal, realtime.
EnableLookups
Boolean
Indicates whether lookups should be applied to events.
AutoPause
Integer
If specified, the search job pauses after this many seconds of inactivity. (0 means never autopause.)
AutoCancel
Integer
If specified, the job automatically cancels after this many seconds of inactivity. (0 means never autocancel.)
AdhocSearchLevel
Integer
Specify a search mode. Use one of the following search modes: verbose, fast, or smart.
The allowed values are verbose, fast, smart.
ForceBundleReplication
Boolean
Specifies whether this search should cause (and wait depending on the value of SyncBundleReplication) for bundle synchronization with all search peers.
IndexEarliest
String
Specify a time string. Sets the earliest inclusive time bounds for the search, based on the index time bounds.
IndexLatest
String
Specify a time string. Sets the latest exclusive time bounds for the search, based on the index time bounds.
IndexedRealtime
Boolean
Indicates whether or not to use the indexed-realtime mode for real-time searches.
IndexedRealtimeOffset
Integer
Sets disk sync delay for indexed real-time search (seconds).
MaxCount
Integer
The number of events that can be accessible in any given status bucket.
MaxTime
Integer
Comma-separated list of (possibly wildcarded) servers from which raw events should be pulled.
Namespace
String
The application namespace in which to restrict searches.
Now
String
Specify a time string to set the absolute time used for any relative time specifier in the search. Defaults to the current system time. You can specify a relative time modifier for this parameter. For example, specify +2d to specify the current time plus two days.
ReduceFrequency
Integer
Determines how frequently to run the MapReduce reduce phase on accumulated map values.
ReloadMacros
Boolean
Specifies whether to reload macro definitions from the configuration file.
RemoteServerList
Integer
The number of seconds to run this search before finalizing. Specify 0 to never finalize.
ReplaySpeed
Integer
Indicate a real-time search replay speed factor. For example, 1 indicates normal speed, 0.5 indicates half of normal speed, and 2 indicates twice as fast as normal.
ReplayStartTime
String
Relative wall-clock start time for the replay.
ReplayEndTime
String
Relative end time for the replay clock. The replay stops when the clock time reaches this time.
ReuseMaxSecondsAgo
Integer
Specifies the number of seconds ago to check when an identical search is started and return the search Id of the job instead of starting a new job.
RequiredField
String
Adds a required field to the search.
RealTimeBlocking
Boolean
For a real-time search, indicates if the indexer blocks if the queue for this search is full.
RealTimeIndexFilter
Boolean
For a real-time search, indicates if the indexer prefilters events.
RealTimeMaxBlockSecs
Integer
For a real-time search with RealTimeBlocking set to true, the maximum time to block. Specify 0 to indicate no limit.
RealTimeQueueSize
Integer
For a real-time search, the queue size (in events) that the indexer should use for this search.
Timeout
Integer
The number of seconds to keep this search after processing has stopped.
SyncBundleReplication
String
Specifies whether this search should wait for bundle replication to complete.
Rows@Next
String
This is used to page through multiple pages of results and should not be set manually.