Wrong values in the field within data model

fedejko — Thu, 28 Jan 2021 10:35:56 GMT

Hi,

I'm searching through the Registry data model and I noticed that in the field "user" I've got process names. How to fix it?

As far as I know, after fixing it - so in the "user" field there is actually a user name, I will need to rebuild the whole data model, right?

Will I need to take some extra steps if this data model is accelerated?

Re: Wrong values in the field within data model

tscroggins — Sun, 21 Feb 2021 07:01:50 GMT

Are you referring to the Registry data set in the Endpoint data model?

If your data is incorrect, you have field aliases, calculated fields, or field extractions on tag=endpoint tag=registry events that produce incorrect results. This could include automatic extractions on raw event text like "user=foo.exe."

Start by determining which field-value pairs identify tag=registry. You can use Settings > Tags > List by tag name in the UI or run 'splunk cmd btool tags list --debug' on your instance. From there, review and correct knowledge objects for the related events.

You can rebuild the data model or leave old, incorrect data in place while new events populate the data model correctly going forward, depending on your requirements.

topic Re: Wrong values in the field within data model in Splunk Search

Wrong values in the field within data model

Re: Wrong values in the field within data model