Splunk Common Information Model: If my data source...

vvajdic · ‎01-31-2016

The current definition for this field is this:
IDS_Attacks| user | string | The user involved with the intrusion detection event.

My data source can generate multiple user names related to an intrusion detection event.
How would be best to handle this?

Thanks.

esix_splunk · ‎01-31-2016

Without seeing your data source, most like you need to multikv these events in order to report on them individually.

Thinking of some common HIDS types logs such as McAffeeEPO, typically destination user events are individual and not reported in the same log..

Richfez · ‎01-31-2016

"How" does it generate multiple user names? Can you paste an example of the raw log? Are you already ingesting it into Splunk? If so can you paste an example of the event from Splunk?

vvajdic · ‎01-31-2016

Here is a part of a log event:

deviceSeverity=value act=value rt=value shost=value src=value sourceZoneURI=value sproc=value dhost=value dst=value destinationZoneURI=value dntdom=value dpt=value duser=value1, value2, value3, value4 fname=value cs1= value cs2=value cs3=value cs4=value

duser should map to Intrusion Detection/User and the question is what to do with multiple values of duser.

a More generally what are the options if data source generates more fields then what exists is in the data model?

Splunk Common Information Model: If my data source can generate multiple user names related to an intrusion detection event, how do I handle this?

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability