topic Re: Getting new index data into data model in Getting Data In

Getting new index data into data model

ygoltsev — Tue, 10 Aug 2021 16:15:19 GMT

Hi - I am trying to configure the authentication data model to include additional source data indexes.

We want to include Duo logs in our dashboard in Splunk ES, but am unsure how to get the data model to recognize the new data. The logs also appear to be in a different format, but I notice there's a method to "eval" the fields in the data model. Can you please advise best practice for this?

Thanks.

Re: Getting new index data into data model

richgalloway — Tue, 10 Aug 2021 17:15:51 GMT

The first step is to make sure the Duo logs are CIM-compliant. Check the manual at https://docs.splunk.com/Documentation/CIM/4.20.0/User/Authentication to see what fields the DM expects. Add FIELDALIAS and other settings to props.conf to create those fields. It's not necessary to have all of them, but you'll want to have the fields your ES use cases need.

Once that's done, go to ES's Settings menu and select "CIM Setup". Add the Duo index to the list of indexes used by the Authentication datamodel and click Save. Wait for the DM to rebuild and check the results.

Re: Getting new index data into data model

ygoltsev — Tue, 10 Aug 2021 17:47:25 GMT

This is helpful thanks!