If I query with the tstats it is showing there an Error in 'DataModelEvaluator': Data model 'DLP_Incidents' was not found.

That screenshot tells us nothing.  It is not the place to find out if the DM contains data.  It is merely the definition of the DM itself.

To see if the DM contains data, use one of these commands

| from datamodel:DLP

| datamodel DLP search

| tstats count from datamodel=DLP

Hi @AL3Z,

if you don't have data in DLP data Model, check the tags.

You can easily run a search like the one contained in the Data Model constrains:

(`cim_DLP_indexes`) tag=dlp tag=incident

where the macro contains the list of indexes to check for data and tags are the ones specific of the Data Model.

In this way you have all the events that could be inserted in that Data Model.

If you don't find the data you want, check the eventtypes and tags of your data: probably thet aren't correctly normalized in the Add-On.

Ciao.

Giuseppe

@woodcock 

I have added the tag field for the respective logs and matched the index inline with the tag fields,

How do we confirm the data is cim compliant? 

Using search ?

Thanks

Use the CIM Validator app (https://splunkbase.splunk.com/app/2968)

@richgalloway 

Is there any other alternate to validated with out using App.

You could manually perform the same operations the app does.

1) Search your indexes for the tags used in the DM.

2) Compare the field names returned to the list of field names in the CIM manual (https://docs.splunk.com/Documentation/CIM/5.1.1/User/DataLossPrevention)

Hi, 

@richgalloway 
I can see data is not fed in data model.

ACCELERATION
Status
100.00% Completed
Access Count
0. Last Access: -
Size on Disk
0 B
Summary Range
604800 second(s)
Buckets
30

See the response from @gcusello earlier today.

if you don't have data in DLP data Model, check the tags.

You can easily run a search like the one contained in the Data Model constrains:

(`cim_DLP_indexes`) tag=dlp tag=incident

where the macro contains the list of indexes to check for data and tags are the ones specific of the Data Model.

In this way you have all the events that could be inserted in that Data Model.

If you don't find the data you want, check the eventtypes and tags of your data: probably thet aren't correctly normalized in the Add-On.

@richgalloway @gcusello ,@woodcock

I am unable to see any data on how we can normalize event types  in the Add-On. Additionally, there doesn't seem to be a designated column for event types, with only a column available for tags.

Have you read this chapter of the CIM manual?  https://docs.splunk.com/Documentation/CIM/5.1.1/User/UsetheCIMtonormalizedataatsearchtime

Do we need to make the data CIM compliant before adding it to the datasets ?

Data models look for events with specific tags.  Therefore, your data must have those tags for the DMs to find it.

Additionally, DMs look for specific fields in the events they find.  Your data must have those fields (not necessarily all of them - see the CIM docs at https://docs.splunk.com/Documentation/CIM/5.1.1/User/Overview).  Use TAs, field aliases, and evals as necessary to incorporate the needed fields into your data.

Hi @AL3Z ,

data are added to Datamodel based on tags generated by eventtypes.

you can also rebuild the Data Model to add past logs, but this operation requires some time.

Ciao.

Giuseppe

@richgalloway ,
How we can make the indexed data to CIM-compliant ?
We have Splunk Common Information Model (Splunk_SA_CIM) in our environment.

Hi @AL3Z,

CIM compliance is usually granted by the Add-On you're using, for this reason, when you have to use a data flow in ES it's a best practice to check the CIM compliance of the used Add-On and you can find this information in Splunk baseline.

If you don't have a CIM Compliant Add_On (because your data flow hasn't an Add-On in Splunk baseline or because you created your own Add-On), you have to manually modify your  Add-On.

You can do this with the support of some app like Add-On Builder or CIM_Validator.

In very (and not exhaustive) words you have to:

• create eventtypes to tag your data,
• create field aliases to normalize your field names,
• create some calculated field to normalize values of some fields (e.g. action).

Ciao.

Giuseppe