Dashboards & Visualizations

tstats can't access certain data model fields

stroud_bc
Path Finder

I need to be able to display the Authentication.reason field in a |tstats report, but for some reason, when I add the field to the by clause, my search returns no results (as though the field was not present in the data). Except when I query the data directly, the field IS there. I have tried this with and without data model acceleration to no avail.  

This search returns zero results:

 

 

| tstats count from datamodel=Authentication by Authentication.user, Authentication.app, Authentication.reason

 

 

This search returns results in the format I need, except I need to query multiple indexes via the data model

 

 

index=<indexname> tag=authentication
| stats count by user, app, reason

 

 

 

Labels (1)
Tags (3)
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @stroud_bc,

Nice to hear you found the problem. You are right about the reason field content, I misread the documentation.

I would add the required new fields to the Authentication model since it is easier. Otherwise, you should overwrite datamodel JSON definition file with the new one and add indextime field. In any case, you will need to manage every version change. That is why I recommend adding the reason field as customization. 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @stroud_bc,

The reason field was added into Authentication data model with CIM 4.16.0 version.
https://docs.splunk.com/Documentation/CIM/4.16.0/User/Releasenotes 
Please check you CIM app version. Either you are using older version or you have edited the data model fields that is why you do not see new fields after upgrade.

By the way, you can use action field instead of reason field (they both show success, failure etc)

| tstats count from datamodel=Authentication by Authentication.user, Authentication.app, Authentication.action

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

stroud_bc
Path Finder

Thanks @scelikok - you made a good point there. We did edit the Authentication data model to include the indextime field, and it looks like when we pushed past CIM 4.16, we didn't get the update to Authentication. 

Just worth noting... reason and action are not the same field. Action is "success" or "failure", while reason is an explanation of that status- e.g., "Bad password" or "User is not in required group". 

Any suggestions for updating that data model? The only things I can think of would be to either remove my custom field and update the CIM overtop of it, or to just manually add the reason field to the data model as another customization

0 Karma

jhanvidattani
Path Finder

@stroud_bc 

Can you check the below points:

  • Run the SPL mentioned in the data model and check whether it has any field named reason?
  • Whether the field named reason is mentioned in the list of extracted fields?

If you find my solution/debugging steps fruitful, then an upvote would be appreciated.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...