All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Common Information Model: If my data source can generate multiple user names related to an intrusion detection event, how do I handle this?

vvajdic
Splunk Employee
Splunk Employee
‎01-31-2016 05:21 PM

The current definition for this field is this:
IDS_Attacks| user | string | The user involved with the intrusion detection event.

My data source can generate multiple user names related to an intrusion detection event.
How would be best to handle this?

Thanks.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎01-31-2016 08:17 PM

Without seeing your data source, most like you need to multikv these events in order to report on them individually.

Thinking of some common HIDS types logs such as McAffeeEPO, typically destination user events are individual and not reported in the same log..

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎01-31-2016 05:55 PM

"How" does it generate multiple user names? Can you paste an example of the raw log? Are you already ingesting it into Splunk? If so can you paste an example of the event from Splunk?

0 Karma
Reply

vvajdic
Splunk Employee
Splunk Employee
‎01-31-2016 09:55 PM

Here is a part of a log event:

deviceSeverity=value act=value rt=value shost=value src=value sourceZoneURI=value sproc=value dhost=value dst=value destinationZoneURI=value dntdom=value dpt=value duser=value1, value2, value3, value4 fname=value cs1= value cs2=value cs3=value cs4=value

duser should map to Intrusion Detection/User and the question is what to do with multiple values of duser.

a More generally what are the options if data source generates more fields then what exists is in the data model?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...