What is the directive "read_summary" exactly doing?
Hello everyone, we are using Splunk 7.2.9 and at the moment im trying to figure out why the datamodel command leads to different results when we use the search mode "search" than when we use...
View ArticleDatamodel combine search
Hi Splunkers, I want to use two datamodel search in same time. My problem ; My search return Filesystem.process_id but also ı want to see process_name but not including in Endpoint->Filesystem...
View ArticleExclude certain log with specific attribute from a search that has mutiple...
I am trying creating a report that will run on schedule which combines different sourcetype to run from the datamodel like below. | datamodel Email All_Email search | search sourcetype = "ms0365log OR...
View ArticleHow to exclude the events in the default "Anomalous Audit Trail activity...
Hello Everyone, We currently have the below default search from ES to alert for anomalous audit log clearance activities on windows hosts. But what we have observed so far is, these alerts are...
View ArticleUsing a child data model to reduce search
i'm trying to create a data model with child subsets and calling this in a search. However the searches are calling the whole index rather than the subset - How do I need to adjust the setup to get...
View ArticleSourcetype with incorrect /unknown field
Hello Team, I am new in Splunking , I need to understand few thing ,could anyone please answer the questions : **1.) How to make list of sourcetype and eventtype that need to be fixed to allow for...
View ArticleRequest using datamodel
Hello; I've got this request running on my searchhead server: Job report : "This search has completed and has returned 1 101 résults by scanning 29 230 690 events in 860,672 seconds" Execution time :...
View ArticleCan WinEventLog populate the Endpoint datamodels?
We wonder whether the WinEventLog can be applied to the Endpoint datamodels. It seems to us that - Endpoint.Process fits greatly win event id 4688 (A new process has been created). Endpoint.Service...
View ArticleHow do we map same field from CIM Mapping from different model?
How do we map same field from CIM Mapping from different model? -- Example.. from same sourcetype data is coming field1 -- Map to Inventory model 'dest' field field2-- Map to Alert model 'dest' field
View ArticleProblem with fields being included in a datamodel
We have data flowing into Splunk as normal. When I search for the particular data using its index or sourcetype it displays all the data correctly. When i open the datamodel i can see the correct...
View ArticleIssue with generating a table from accelerated data model with default fields...
Hello, 1st off I hope everyone out there is staying safe an healthy. As a result of wahats going on I am being asked to do some stuff with Splunk that I am not too familiar with. I am a n00b when it...
View ArticleHow to deal with the duplicate events in Authentication datamodel?
Hi Guys, I have built the Authentication datamodel on the Splunk ES. However I am dealing with a dilemma of duplicate events here. To explain it in detail: If an authentication attempt occurs from src...
View ArticleAccelerated data model returning partial results when using summariesonly=true
Hello everybody, I see a strange behaviour with data model acceleration. I have a data model accelerated over 3 months. According to internal logs, scheduled acceleration searches are **not** skipped...
View ArticleUnable to use tstats against child dataset in a datamodel
Hi guys, I am unable to run tstats command against the sub-dataset in a datamodel. Whenever I try to, it throws below error: Error in 'DataModelCache': Invalid or unaccelerable root object for...
View ArticleData Model Network_Traffic doesn't work
I am new on Splunk. I am using Infosec app and I have question please. I am getting logs from the firewall after executing this command: | datamodel Network_Traffic All_Traffic search But the...
View ArticleDatamodel Status Shows Building
I installed [Splunk App for Web Analystics][1], the datamodel status (of WebAnalytics) shows in "Building"; however, the status was never updated and there was no data ingested to the datamodel...
View ArticleThreat Intelligence integration datamodel add-on builder
Hi all, I'm trying to integrate with Threat Intelligence Framework, I used API as described here: https://docs.splunk.com/Documentation/ES/latest/API/ThreatIntelligenceAPIreference and was able to push...
View ArticleIs it possible to use TERM() with Datamodel in a tstats?
Currently I am trying to optimize my application and I would like to know if it is possible to use TERM() with a datamodel. I have tried the following: | tstats count from datamodel=dm_name where...
View ArticleAccel DM's Summary Range is 3 Months - Why Last Month's Data Not In?
Hi, Our ES's pre-packaged datamodel (DM) `Network_Traffic` has 3 months of summary range. We've introduced new logs in this said DM by adding new indexes and specifying `eventtypes` and `tags`. We've...
View ArticleSplunk user unable to access datamodel data.
Users are unable to access data from a dashboard. We are using a datamodel to create that dashboard. We have enable read access for this dashboard and datamodel but not to the raw data index. Please...
View Article