https://community.splunk.com/t5/Splunk-Enterprise-Security/Need-changes-to-the-datamodel-search/m-p/666251#M11772 <P>May be the taging is not done it in a right way. Where we need to check further?</P> Wed, 25 Oct 2023 21:19:25 GMT AL3Z 2023-10-25T21:19:25Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Need-changes-to-the-datamodel-search/m-p/666120#M11765 <P>Hi,</P><P>I aimed to merge the "dropped" and "blocked" values under the "IDS_Attacks.action" field in the output of the datamodel search and include their respective counts within the newly created "blocked" field.</P><P>so that I can add it to the dashboard.<BR />output:</P><P>&nbsp;</P><P><SPAN><BR />IDS_Attacks.action</SPAN> count</P><TABLE border="1" width="99.87357774968397%"><TBODY><TR><TD width="63.59039190897599%" height="24px">allowed</TD><TD width="36.283185840707965%" height="24px">130016</TD></TR><TR><TD width="63.59039190897599%" height="24px">blocked</TD><TD width="36.283185840707965%" height="24px">595</TD></TR><TR><TD width="63.59039190897599%" height="24px">dropped</TD><TD width="36.283185840707965%" height="24px">1123</TD></TR></TBODY></TABLE> Wed, 25 Oct 2023 10:54:55 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Need-changes-to-the-datamodel-search/m-p/666120#M11765 AL3Z 2023-10-25T10:54:55Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Need-changes-to-the-datamodel-search/m-p/666145#M11767 <P>I strongly advise against modifying datamodels that are not your own.&nbsp; If you change a DM, your changes will override any future versions of the DM that may be released.</P><P>Instead, have your dashboard combine the values by changing "dropped" to "blocked".</P><LI-CODE lang="markup">| eval IDS_Attacks.action=if(IDS_Attacks.action="dropped","blocked",IDS_Attacks.action)</LI-CODE><P>&nbsp;</P> Wed, 25 Oct 2023 12:57:30 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Need-changes-to-the-datamodel-search/m-p/666145#M11767 richgalloway 2023-10-25T12:57:30Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Need-changes-to-the-datamodel-search/m-p/666217#M11770 <P>Hi,</P><P>Why I'm not seeing the field IDS_Attacks.sourcetype field in the datamodel&nbsp; ?&nbsp;<BR /><BR /></P> Wed, 25 Oct 2023 17:30:36 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Need-changes-to-the-datamodel-search/m-p/666217#M11770 AL3Z 2023-10-25T17:30:36Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Need-changes-to-the-datamodel-search/m-p/666237#M11771 <P>I don't know why you're not seeing the sourcetype field.&nbsp; Every event should have that field.</P> Wed, 25 Oct 2023 18:52:22 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Need-changes-to-the-datamodel-search/m-p/666237#M11771 richgalloway 2023-10-25T18:52:22Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Need-changes-to-the-datamodel-search/m-p/666251#M11772 <P>May be the taging is not done it in a right way. Where we need to check further?</P> Wed, 25 Oct 2023 21:19:25 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Need-changes-to-the-datamodel-search/m-p/666251#M11772 AL3Z 2023-10-25T21:19:25Z