All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I check if the DM configuration is set properly to read data from tags?

adol83
Explorer
‎07-10-2023 08:35 AM

Hello everyone.

I am executing the following search:
| from datamodel:Malware | search sourcetype=sentinel*

to retrieve data from ST sentinelone. However, changing the standard search in this way:

| from datamodel:Malware | search tag=attack tag=malware

results in no data output.

I tried to change the search but any test that I have done brought to the same result: malware DM seems unable to find data for those two attacks.

However,  If I run the standard search  

(`cim_Malware_indexes`) tag=malware tag=attack

data is found. but from different ST (cp_log instead of sentinelone).

How can I check if the DM configuration is set properly to read data from tags?
Is there any way to avoid tag whitelisting in the Splunk ES CIM?

Please note that whitelisting attack and malware tags make them readable from the malware datamodel. I am not very keen of changing standard setups to make things work.

Labels (1)
Labels
Tags (3)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top