Dashboards & Visualizations

Troubleshooting Data Model Network_Traffic

daniel_augustyn
Contributor

I am trying to set up ES and having some issues with Network_Traffic data model. I am getting logs from the firewalls with tags network and communicate, and I also created field alias for some of the fields. But the Network_Traffic data model still doesn't show any results. Any idea how to troubleshoot the issue?

I am getting 0 results after executing this command: | datamodel Network_Traffic All_Traffic search

***I also looked into this document: http://docs.splunk.com/Documentation/ES/3.1/Install/Networkdashboard

Tags (1)

mcxrisley08
Path Finder

I am having a similar issue with the Network_Traffic data model but mine is stuck on building and has been for a few days. I tried turning off acceleration and turning it back on to see if that would fix it but it still just stays on building.

0 Karma

ppablo
Retired

Hi @mcxrisley08

Since this post is almost 2 years old, I'd suggest posting a new question to get visibility for your issue. Peak traffic in the forum is from now until 1-2pm PST, so it would be a good time to post. Just provide as much detail in your content for users in the community to fully understand your problem so they can help you out. What have you done so far, what your current result is, and what you expect to see.

0 Karma

mbenwell
Communicator

Assuming the current CIM data models here, do you get search results from the root object of the data model:
(cim_Network_Traffic_indexes) tag=network tag=communicate

If no, have you defined indexes in the cim_Network_Traffic_indexes macro? Or do you have the index in your default searched indexes?

daniel_augustyn
Contributor

I don't get any results by running this search. How do I define an index in the cim_Network_Traffic_indexes macro for this data model?

0 Karma

mbenwell
Communicator

Go to settings>advanced search>search macros. Select 'Splunk Common Information Model' (Splunk_SA_CIM) from the 'app context' menu. It should be listed there.

do you get anything by searching just the tags:
tag=network tag=communicate

daniel_augustyn
Contributor

I found these two:

cim_Network_Traffic_indexes (index="network_summary" OR index="network_summary2" OR index="network_summary3")

communicate tag=network tag=communicate | tags outputfield=tag | fillnull value=unknown action,dvc,rule,transport,src,dest | lower(transport) | fillnull value=0 bytes_in,bytes_out,src_port,dest_port | eval bytes=if(isnull(bytes),bytes_in+bytes_out,bytes) | get_vendor_product

0 Karma

mbenwell
Communicator

So the macro "cim_Network_Traffic_indexes" contains (index="network_summary" OR index="network_summary2" OR index="network_summary3")"?

That seems strange, the network_summary* indexes are from ES, not the original data, that could be the issue. I am not sure why this would be the case, maybe something with your deployment? The macro "cim_Network_Traffic_indexes" should define the indexes to use in the data model. These cim_* macros are really to improve performance

Assuming there is a reason for the network_summary indexes listed in the macro, you could add the real data index to that macro and give it a go, i.e. add " OR index=" in the brackets

Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...