tstats with datamodel does not group by a field
We have an index with quite a few index-time fields, and an accelerated datamodel that adds a calculated field there. Our objective is to group by one of the fields, find the first and the last value...
View ArticleHow come our tstats with datamodel does not group by a field?
We have an index with quite a few index-time fields, and an accelerated datamodel that adds a calculated field there. Our objective is to group by one of the fields, find the first and the last value...
View ArticleHow come our tstats with datamodel does not group by field?
We have an index with quite a few index-time fields, and an accelerated datamodel that adds a calculated field there. Our objective is to group by one of the fields, find the first and the last value...
View Articlesplunk dashboard basequery with datamodel
Hi Team, I am trying to create a dashboard with base query taking values from data model . But it is not yielding any results(Only when i have that in basequery). Seems the base query syntax is wrong ,...
View Articlemap_notable_fields in ES bug ?
Hi guys I have this search: | datamodel "Malware" "Malware_Attacks" search | `drop_dm_object_name(Malware_Attacks)` |`map_notable_fields` | search abc It does NOT filter on the abc content. If I do...
View ArticleHow to access field displayName when searching a dataset?
I have a data model called DM1 with a data set called DM1. There are evaluated fields in this data set with different display names. I want to make a table with the displayNames, so I ran this query: |...
View Articletstats web datamodel unable to use status in eval
Hi, ive been having issues with using eval commands with the status field from the Web datamodel specifically with the tstats command. Im trying to categorize the status field into failures and...
View ArticleWhat's the best datamodel to audit processes ran by users? and filesystem...
Hello Again, I'm developing a compliance app (CIM, with tstats), now is the turn to write a search to monitor processes ran by users on the domain (windows and linux, maybe some other source of...
View ArticleHow to list values using tstats in Splunk ES
Hi, I am using below search query which list's out the sequence of login using standard querying. What the below query does is it gives me the authentication actions as list. I am looking for those...
View ArticlePalo Alto Wildfire dashboard is not working
I've recently started ingestion of wildfire events in Palo Alto app. Dashboard "Wildfire Submission" seems broken. I looked into the query forming those panels. One of the query I would like to mention...
View ArticleDMA - datamodel artifacts filling up the dispatch dir
As the default ES DMA schedule is every 5min, and the _ACCELERATE_DM_Splunk_SA_CIM_*_ACCELERATE_ jobs TTL is 24h, our dispatch directory is filling up 24h TTL with 5min runs means 288 jobs per DM,...
View Articletstats values() function removes duplicates from a multivalued field
My dashboard queries are based on datamodel. Hence we are using `tstats`. We have a use case where we need to `mvzip` 2 multivalued fields. We are using `values`() in `tstats` but `values()` remove...
View ArticleSplunk Web datamodel whitelisting
Hello Splunkers, Trying to fix the Web data models in the CIM and would like to exclude a couple of IP addresses. However, I'm struggling to form a white list for those specific IP addresses. I'm...
View ArticleData model calculated field dependencies
Hi all, I am trying to use data models to extract a search time value from a lookup. However, the value I am using to join to the lookup table is extracted from the source. I have no other way to get...
View ArticleEndpoint DataModel related to windows process, process_Name etc
Hello team: i am working on Splunk Endpoint Data Model and i have windows audit logs in splunk. My concern is if i were to use the Splunk Endpoint Data Model with Windows logs how do i properly map...
View ArticleImproving search performance using saved search or summary index ???
Hi All, I am running a search which shows the total_used_space (storage used) of an application for last 30 days. Below is the query for the same, but it takes some 40 to 45 seconds to load the panel....
View ArticleHow to properly map windows Endpoint DataModel with Windows logs?
Hello team: i am working on Splunk Endpoint Data Model and i have windows audit logs in splunk. My concern is if i were to use the Splunk Endpoint Data Model with Windows logs how do i properly map...
View ArticleShould search performance improve using saved search or summary index?
Hi All, I am running a search which shows the total_used_space (storage used) of an application for last 30 days. Below is the query for the same, but it takes some 40 to 45 seconds to load the panel....
View ArticleSetting alias for multivalued field for ES/CIM compliance
I created an alias for the X_MS_Forwarded_Client_IP (ADFS events) to equal to src. The X_MS_Forwarded_Client_IP is a multivalue field which leads me to a few questions: 1) We are running ES so do I...
View ArticleSplunk DataModel Unknown Fields
Hi Splunkers, Is there a way to extract all unknown fields in a Data Model with a single query ? Have a good day :
View Article