All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Common Information Model: If my data source can generate multiple user names related to an intrusion detection event, how do I handle this?

vvajdic
Splunk Employee
Splunk Employee
‎01-31-2016 05:21 PM

The current definition for this field is this:
IDS_Attacks| user | string | The user involved with the intrusion detection event.

My data source can generate multiple user names related to an intrusion detection event.
How would be best to handle this?

Thanks.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎01-31-2016 08:17 PM

Without seeing your data source, most like you need to multikv these events in order to report on them individually.

Thinking of some common HIDS types logs such as McAffeeEPO, typically destination user events are individual and not reported in the same log..

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎01-31-2016 05:55 PM

"How" does it generate multiple user names? Can you paste an example of the raw log? Are you already ingesting it into Splunk? If so can you paste an example of the event from Splunk?

0 Karma
Reply

vvajdic
Splunk Employee
Splunk Employee
‎01-31-2016 09:55 PM

Here is a part of a log event:

deviceSeverity=value act=value rt=value shost=value src=value sourceZoneURI=value sproc=value dhost=value dst=value destinationZoneURI=value dntdom=value dpt=value duser=value1, value2, value3, value4 fname=value cs1= value cs2=value cs3=value cs4=value

duser should map to Intrusion Detection/User and the question is what to do with multiple values of duser.

a More generally what are the options if data source generates more fields then what exists is in the data model?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...