Datamodel missing field extractions, but base search returns those fields...
I have a datamodel lets say with a base constraint that returns the following two events 01-01-2019 01:00:00 type=VIEW_REQUEST duration=100 taskID=123456 01-01-2019 00:00:00 request=do_something...
View ArticleData model calculated field with max_match
Hello, i would like to create a calculated field within a data model with following expression: rex field=_raw (?.*) max_match=0 But how to tell the data model to consider the max_match expression, as...
View ArticleIn a datamodel search why are tstats and stats results not the same?
hello splunker. i changed search to datamodel search(tstats) for speed up. but, stats and tstats result are slightly different. average : ex) tstats : 0.45500000000000007. stats : 0.4549999999999999....
View ArticleMemory use datamodels
We're seeing massive memory use (20GB+) of the Network_Traffic datamodel acceleration searches. The limits.conf default max_mem_usage_mb is set to 200 but the tstats search doesn't seem to listen to...
View ArticleCan we have datamodel acceleration for All Time?
When we set the datamodel acceleration, we see the All Time option. Can we truly have data back without limit? How can we measure the storage and processing impact of this setting? ![alt text][1] [1]:...
View ArticleDatamodel Acceleration - High Memory Usage
Hello, I'm facing a high memory usage on all of the 3 indexers when I try to accelerate a datamodel, even for 1 day acceleration. After investigation, high memory usage is due to searches run for...
View Articlenested eval with stats count not working while using Data Model
Below is my query: |datamodel testing search |search wells.API="enroll" |stats count(eval(wells.resp_code="S" OR (wells.resp_code="F" AND wells.error_code="NGENR000"))) AS Success wells is the nodename...
View Articlemap_notable_fields in ES bug ?
Hi guys I have this search: | datamodel "Malware" "Malware_Attacks" search | `drop_dm_object_name(Malware_Attacks)` |`map_notable_fields` | search abc It does NOT filter on the abc content. If I do...
View ArticleHow to use inherited fields in child dataset ?
Hello, I am using child dataset in datamodel. Not sure how to use fields which is inherited from paraent datamodel. I am able to access only calcualted fields which is cretated in child dataset....
View Articlemap_notable_fields in ES bug ?
Hi guys I have this search: | datamodel "Malware" "Malware_Attacks" search | `drop_dm_object_name(Malware_Attacks)` |`map_notable_fields` | search abc It does NOT filter on the abc content. If I do...
View ArticleAre all the fields in a datamodel become index-time fields?
We are looking at ES with its extensive datamodels. I wonder whether all the fields in a datamodel become index-time fields?
View ArticleDo all the fields in a datamodel become index-time fields?
We are looking at ES with its extensive datamodels. I wonder whether all the fields in a datamodel become index-time fields?
View ArticleData model hierarchy disrupting data ?
Hi, I am trying to use data model as I have large dataset to accelerate dashboards I use. So I have 3 lvl hierarchy where I filter each subsequent data level by constraint. To be precise first level...
View ArticleDatamodel does not disappear from datamodel panel from Splunk UI
Hi I have created a datamodels.conf by mistakely under the search app for the accelaration but the actual datamodel and associated jsons was exists under Splunk_SA_CIM, So i deleted the datamodels.conf...
View ArticleHow to whitelist multiple IP addresses from datamodel search? (no need to use...
Hi Guys, Can you please tell me how to exclude/whitelist multiple ip adresses from the **datamodel** search here is the example: **All_Traffic.dest_ip!=10.10.10.10 All_Traffic.dest_ip!=10.10.10.10...
View ArticleTor traffic search feeds
Hi All, I work with Datamodels, and trying to create search which will alert me about TOR communication. Having some issues with enrichment. Can somebody help. **| eval TOR="iblocklist_tor" | lookup...
View ArticleHow to extract new fields from a datamodel without deaccelearting it?
Hi All, I have a datamodel "Authentication". This datamodel is already been accelerated.I require two more fields to be extracted from this datamodel. I have used the below query for excessive logins...
View ArticleEnterprise Security: How to get a field break-down for a Web datamodel?
I'm looking at the *Web* datamodel and try to determine which fields are populated. I can do : `| tstats dc(sourcetype) FROM datamodel=Web by sourcetype` and `| tstats count(sourcetype) FROM...
View ArticleHow to fix this datamodel error ?
"Error decompressing zstd block: Corrupted block detected" This error appears when I search with datamodel but this datamodel isn't accelerated and with searches with a lot of results, and I want to...
View ArticleReverse engineering an enterprise security correlation search
I am doing a deep dive to understand the internals of a correlation search within ES so that I can justify creating new correlated searches with adjusted thresholds and/or explicit asset exceptions....
View Article