topic Re: CIM Mapping issue in Knowledge Management

CIM Mapping issue

aknsun — Sat, 06 Jun 2020 17:19:53 GMT

Hi,
I'm doing CIM Mapping and the data I have is from Dynatrace. It's JSON format.

I had to do Field Extraction to get a field that would map to the action field in the Authentication Data Model. The problem with this specific field is that it comes as follows in the data:

"Success: True"
"Success: False"

Now I want to make this as

"Success: True" -> Success
"Success: False" -> Failure

I managed to do that with Tags.

However, I cannot get this to show up as Success & Failure when doing the Pivot as the action field show up with "Success: True" & "Success: False" values.

Any suggestion on how to work around this issue?

Thanks,
AKN

Re: CIM Mapping issue

nickhills — Mon, 17 Feb 2020 10:01:55 GMT

The data model looks at the value of the field "action"
The first thing you should to is extract the value of Success. If your data is well formed json may already the case.
If you need to manually extract it the following should work "Success: (?P<success>\w+)"

Finally, eval the value of 'success' to 'action'
|eval action=case(like(success, "True"), "success", like(success, "False"), "failure", 1=1, "unknown")
Or better yet, create it as a calculated field.

Re: CIM Mapping issue

aknsun — Tue, 18 Feb 2020 06:09:26 GMT

@nickhillscpl. Thanks for the suggestion. It worked.

Thanks,
AKN

Re: CIM Mapping issue

aknsun — Thu, 20 Feb 2020 07:19:30 GMT

Have one more issue with extraction of https status code. Stuck with this issue.

In most cases it picks up 200, but in other events it tends to pick 70 when position changes. Sample events with data masked.

10...* - - [20/Feb/2020:17:00:57 +1000] "GET abcd********* / HTTP/1.1" 200 75666
10...* - - [20/Feb/2020:17:00:57 +1000] "GET abcd*********" 200 70