All Apps and Add-ons

Why are the IP fields in the CIM data models defined as strings not IPv4 fields?

responsys_cm
Builder

All of the src and dest fields in the CIM Data Model app are defined as strings, not IPv4 addresses.

Why? And what does one lose or gain by defining any IP field as a string rather than an IPv4 address?

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

Using "string" as the type for ip fields in data models allows us to:
1. capture IPv6 information as well as IPv4
2. see data that's getting improperly or badly extracted into the ip fields when using the "| datamodel" or "| pivot" commands.

CIDR matching is possible on strings, so there's no clear downside. Do you have a use case that requires these to be typed as IPv4?

responsys_cm
Builder

No use case... I was just curious why there was a type for IPv4 but it wasn't used for src/dest.

Since you work for Splunk...

The Network Sessions data model uses src_ip/dest_ip. The Network Traffic model uses src/src_ip/dest/dest_ip. All the other ones use src/dest. These should be consistent across all data models.

Also... The Authentication data model's "action" field expects success/failure as the field values.

The Change Analysis data model's "action" field expects created/deleted/modified/updated/etc and the "status" field expects success/failure.

Using "action" in two different data models where the data model expects different values is a huge pain in the ass. It basically requires creating a field like "change_action" and then modifying the data model logic for the action field. I try to avoid modifying the data models if possible...

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>