topic Feeding data into a data model in Knowledge Management

Feeding data into a data model

bseppanen1 — Tue, 05 Oct 2021 18:49:22 GMT

I'm working with a standalone splunk 8.1.3 instance with the Splunk CIM 4.20.2. I have several accelerated data models that are populating data properly. I have a couple of data sources,specifically an ISC DHCP server logging to a custom UDP port, and a Palo Alto firewall which is logging to its own index, that I'm not finding the data within the data model. pan:traffic from the palo alto index should constitute network session data, and the ISC DHCP data should likewise. Is there a way to find out why that data isn't being categorized in that manner? Is there some way I can get that data in there properly?

Thanks,

Re: Feeding data into a data model

richgalloway — Tue, 05 Oct 2021 19:30:13 GMT

The key to getting data into a datamodel is to make sure the incoming data uses CIM fields. Installing the CIM app isn't enough. You may have to add EVALs or FIELDALIASes to props.conf for the appropriate sourcetypes.

Re: Feeding data into a data model

bseppanen1 — Fri, 08 Oct 2021 20:42:47 GMT

So i did discover that there is a splunk add on specific to ISC DHCP and I did install that. That add on doesn't seem to be CIM 4 compliant, so it appears I would have to do that lifting myself and worry that I will implement an Un-Common information model by doing so. Thanks for your response.

It turns out that ISC DHCP Plugin does Support CIM definitions, so I just had to redefine the sourcetype for that to happen properly.