Is there a better way to improve performance using tstats when I need two...
We have a data model which has following fields - **Source IpAddress FileName FileVersion Flag _time** S1 IP1 File1 FileVersion1 Flag1 _time1 S1 IP1 File1 FileVersion1 Flag2 _time2 S1 IP1 File1...
View ArticleDatamodel Child object not accelerated
We created a child object within the authentication datamodel. The authentication datamodel is accelerated, when searching the data using summariesonly=t we get data from the root and other childs but...
View ArticleDatamodels getting rebuild after after attaching it to new Search Head.
Hello, We are trying to move from Single node installation to multinode/Distributed Search Installation(1SH and 2 Indexer) - Not clustered for this we have copied full Production installation and...
View ArticleHow to stop datamodels from rebuilding on a new Distributed search
Hi We broken up a single install [SH + Indexer]. We have created a new SH and added the original Indexer(Full of data, Indexer and Data models). When log into new SH the data models are rebuilding. How...
View Articleerrormessage "JSON file contents not available." when configure DM in...
Hi all, I want to configure a Datamodel in different apps. On app should define the datamodel (here search). The seconds app should (here: dm_acc) should define schedule and acceleration....
View ArticleWhat is the directive "read_summary" exactly doing?
Hello everyone, we are using Splunk 7.2.9 and at the moment im trying to figure out why the datamodel command leads to different results when we use the search mode "search" than when we use...
View ArticleDatamodel combine search
Hi Splunkers, I want to use two datamodel search in same time. My problem ; My search return Filesystem.process_id but also ı want to see process_name but not including in Endpoint->Filesystem...
View ArticleExclude certain log with specific attribute from a search that has mutiple...
I am trying creating a report that will run on schedule which combines different sourcetype to run from the datamodel like below. | datamodel Email All_Email search | search sourcetype = "ms0365log OR...
View ArticleHow to exclude the events in the default "Anomalous Audit Trail activity...
Hello Everyone, We currently have the below default search from ES to alert for anomalous audit log clearance activities on windows hosts. But what we have observed so far is, these alerts are...
View ArticleUsing a child data model to reduce search
i'm trying to create a data model with child subsets and calling this in a search. However the searches are calling the whole index rather than the subset - How do I need to adjust the setup to get...
View ArticleSourcetype with incorrect /unknown field
Hello Team, I am new in Splunking , I need to understand few thing ,could anyone please answer the questions : **1.) How to make list of sourcetype and eventtype that need to be fixed to allow for...
View ArticleRequest using datamodel
Hello; I've got this request running on my searchhead server: Job report : "This search has completed and has returned 1 101 résults by scanning 29 230 690 events in 860,672 seconds" Execution time :...
View ArticleCan WinEventLog populate the Endpoint datamodels?
We wonder whether the WinEventLog can be applied to the Endpoint datamodels. It seems to us that - Endpoint.Process fits greatly win event id 4688 (A new process has been created). Endpoint.Service...
View ArticleHow do we map same field from CIM Mapping from different model?
How do we map same field from CIM Mapping from different model? -- Example.. from same sourcetype data is coming field1 -- Map to Inventory model 'dest' field field2-- Map to Alert model 'dest' field
View ArticleProblem with fields being included in a datamodel
We have data flowing into Splunk as normal. When I search for the particular data using its index or sourcetype it displays all the data correctly. When i open the datamodel i can see the correct...
View ArticleIssue with generating a table from accelerated data model with default fields...
Hello, 1st off I hope everyone out there is staying safe an healthy. As a result of wahats going on I am being asked to do some stuff with Splunk that I am not too familiar with. I am a n00b when it...
View ArticleHow to deal with the duplicate events in Authentication datamodel?
Hi Guys, I have built the Authentication datamodel on the Splunk ES. However I am dealing with a dilemma of duplicate events here. To explain it in detail: If an authentication attempt occurs from src...
View ArticleAccelerated data model returning partial results when using summariesonly=true
Hello everybody, I see a strange behaviour with data model acceleration. I have a data model accelerated over 3 months. According to internal logs, scheduled acceleration searches are **not** skipped...
View ArticleUnable to use tstats against child dataset in a datamodel
Hi guys, I am unable to run tstats command against the sub-dataset in a datamodel. Whenever I try to, it throws below error: Error in 'DataModelCache': Invalid or unaccelerable root object for...
View ArticleData Model Network_Traffic doesn't work
I am new on Splunk. I am using Infosec app and I have question please. I am getting logs from the firewall after executing this command: | datamodel Network_Traffic All_Traffic search But the...
View Article