All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are the IP fields in the CIM data models defined as strings not IPv4 fields?

responsys_cm
Builder
‎01-18-2018 09:20 AM

All of the src and dest fields in the CIM Data Model app are defined as strings, not IPv4 addresses.

Why? And what does one lose or gain by defining any IP field as a string rather than an IPv4 address?

0 Karma
Reply

rpille_splunk
Splunk Employee
Splunk Employee
‎01-18-2018 09:27 AM

Using "string" as the type for ip fields in data models allows us to:
1. capture IPv6 information as well as IPv4
2. see data that's getting improperly or badly extracted into the ip fields when using the "| datamodel" or "| pivot" commands.

CIDR matching is possible on strings, so there's no clear downside. Do you have a use case that requires these to be typed as IPv4?

Reply

responsys_cm
Builder
‎01-18-2018 10:47 AM

No use case... I was just curious why there was a type for IPv4 but it wasn't used for src/dest.

Since you work for Splunk...

The Network Sessions data model uses src_ip/dest_ip. The Network Traffic model uses src/src_ip/dest/dest_ip. All the other ones use src/dest. These should be consistent across all data models.

Also... The Authentication data model's "action" field expects success/failure as the field values.

The Change Analysis data model's "action" field expects created/deleted/modified/updated/etc and the "status" field expects success/failure.

Using "action" in two different data models where the data model expects different values is a huge pain in the ass. It basically requires creating a field like "change_action" and then modifying the data model logic for the action field. I try to avoid modifying the data models if possible...

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...