Getting Data In

Data model tags whitelist- Should I add tags used inside constraints on my own?

tbonfa
Loves-to-Learn

Hi all,

I installed the Splunk CIM on my Splunk instance and I've a doubt regarding tags whitelisting.

The docs says that (https://docs.splunk.com/Documentation/Splunk/8.2.4/Knowledge/Designdatamodelobjects😞

tbonfa_0-1643310375464.png

This means that the tags whitelist configuration in Splunk CIM settings must have at least tags used within the constraints used in the specific datamodel.

Let's do an example with Authentication datamodel.

This is the default tags whitelist configuration after installing the app:

tbonfa_1-1643310525523.png

And this is the root dataset constraint:

tbonfa_2-1643310575927.png

How you can see, the tag authentication used as root constraint isn't by default one of whitelisted tags for Authentication datamodel.

Shall I add tags used inside constraints on my own? Or is there something I'm missing?

Thanks a lot

Labels (1)
0 Karma

XavG_KS
Loves-to-Learn

Hi,

 

Just here to add some information about your issue.

I don't think this is a error in the documentation but it's just tricky 😊

Indeed it is mentioned : "The list must include all of the tags in the constraint searches for the data model and any additional tags that you commonly use in searches that reference the data model."

The important words here are : "in the constraint searches for the data model", I don't know if you noticed but a datamodel have two properties : Events and Searches.

 

In your example you show the data model "event" and not the searches. If I take another datamodel like "Malware" we can see that here we have a searches which uses tags (malware and operation) !

I think the documentation wants to say that if you want to use SEARCHES of a datamodel then you need to add the tags in the whitelist. (hope this is understandable)

Here is a screenshot that illustrate this example.

XavG_KS_1-1663169558311.png

In this example, if you don't had the "operation" tag in the whitelist_tag then the search will not work.

Hope this is helpful, have a nice day

Xavier

0 Karma

tbonfa
Loves-to-Learn

I did a test, trying to figured out what's going on.

This is the situation with default tags whitelist:

tbonfa_0-1643359560543.pngtbonfa_1-1643359571746.png

Then I added the tag authentication as whitelist tag and performed the same search in the same discrete timeframe:

tbonfa_2-1643359616288.pngtbonfa_3-1643359622397.png

It seems that when i put a specific tag inside the whitelist box, then I can search and filter on it in the search (if exists obviously). The events did'nt change, the count is the same.

@richgallowayare you sure about docs' mistake?

(Sorry for italian screenshots)

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps more imprecise than wrong.  Saying the datamodel MUST contain all of the tags specified in the constraint implies the DM will not function without it.  Your test shows the DM does function, at least partially.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I've used the Authentication datamodel without modification many times so I suspect the documentation is incorrect.  Please submit feedback on it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...