Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

tstats can't access certain data model fields

stroud_bc
Path Finder
‎07-30-2021 01:23 PM

I need to be able to display the Authentication.reason field in a |tstats report, but for some reason, when I add the field to the by clause, my search returns no results (as though the field was not present in the data). Except when I query the data directly, the field IS there. I have tried this with and without data model acceleration to no avail.  

This search returns zero results:

 

 

| tstats count from datamodel=Authentication by Authentication.user, Authentication.app, Authentication.reason

 

 

This search returns results in the format I need, except I need to query multiple indexes via the data model

 

 

index=<indexname> tag=authentication
| stats count by user, app, reason

 

 

 

Tags (3)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎08-06-2021 05:04 AM

Hi @stroud_bc,

Nice to hear you found the problem. You are right about the reason field content, I misread the documentation.

I would add the required new fields to the Authentication model since it is easier. Otherwise, you should overwrite datamodel JSON definition file with the new one and add indextime field. In any case, you will need to manage every version change. That is why I recommend adding the reason field as customization. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎07-31-2021 10:16 PM

Hi @stroud_bc,

The reason field was added into Authentication data model with CIM 4.16.0 version.
https://docs.splunk.com/Documentation/CIM/4.16.0/User/Releasenotes 
Please check you CIM app version. Either you are using older version or you have edited the data model fields that is why you do not see new fields after upgrade.

By the way, you can use action field instead of reason field (they both show success, failure etc)

| tstats count from datamodel=Authentication by Authentication.user, Authentication.app, Authentication.action

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

stroud_bc
Path Finder
‎08-02-2021 07:26 AM

Thanks @scelikok - you made a good point there. We did edit the Authentication data model to include the indextime field, and it looks like when we pushed past CIM 4.16, we didn't get the update to Authentication. 

Just worth noting... reason and action are not the same field. Action is "success" or "failure", while reason is an explanation of that status- e.g., "Bad password" or "User is not in required group". 

Any suggestions for updating that data model? The only things I can think of would be to either remove my custom field and update the CIM overtop of it, or to just manually add the reason field to the data model as another customization

0 Karma
Reply

jhanvidattani
Path Finder
‎07-31-2021 03:22 AM

@stroud_bc 

Can you check the below points:

  • Run the SPL mentioned in the data model and check whether it has any field named reason?
  • Whether the field named reason is mentioned in the list of extracted fields?

If you find my solution/debugging steps fruitful, then an upvote would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top