Re: Getting new index data into data model

ygoltsev · ‎08-10-2021

Hi - I am trying to configure the authentication data model to include additional source data indexes.

We want to include Duo logs in our dashboard in Splunk ES, but am unsure how to get the data model to recognize the new data. The logs also appear to be in a different format, but I notice there's a method to "eval" the fields in the data model. Can you please advise best practice for this?

Thanks.

richgalloway · ‎08-10-2021

The first step is to make sure the Duo logs are CIM-compliant. Check the manual at https://docs.splunk.com/Documentation/CIM/4.20.0/User/Authentication to see what fields the DM expects. Add FIELDALIAS and other settings to props.conf to create those fields. It's not necessary to have all of them, but you'll want to have the fields your ES use cases need.

Once that's done, go to ES's Settings menu and select "CIM Setup". Add the Duo index to the list of indexes used by the Authentication datamodel and click Save. Wait for the DM to rebuild and check the results.

---
If this reply helps you, Karma would be appreciated.

ygoltsev · ‎08-10-2021

This is helpful thanks!

Getting new index data into data model

index

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation