Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Authentication tag not being applied

unclemoose
Engager
‎08-10-2025 03:12 PM

I am trying to learn SIEM tech and am at the stage where im trying to use/setup Splunk CIM. My pipeline uses fake logs and I am trying to get them to show up with the Authentication data model. However it seems like the authentication tag is not being applied. 

(files shortened )
My eventtypes.conf:
[account_locked]

search = sourcetype="logstream" action="failure" signature="Account locked"
tags = authentication, failure, account_locked

My tags.conf:
[eventtype=account_locked]
authentication = enabled
failure = enabled
account_locked = enabled

and my props.conf:

[logstream]
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%:z
TIME_PREFIX = "\"_time\": \"""
MAX_TIMESTAMP_LOOKAHEAD = 30
INDEXED_EXTRACTIONS = json


FIELDALIAS-src_user_for_user = user AS src_user
FIELDALIAS-src_for_src = src AS src
FIELDALIAS-dest_for_dest = dest AS dest
FIELDALIAS-app_for_app = app AS app
FIELDALIAS-dest_for_dest = dest AS dest    
Now what is really stumping me here is that no event types are being recognized. However, if I search for those logs by doing the command I used for the event type,  I get the results and logs I am looking for:

search = sourcetype="logstream" action="failure" signature="Account locked"


A couple of things I confirmed:

- HEC token is correct
- The Field Aliases are compliant with the  Authentication Data Model 


Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PrewinThomas
Motivator
‎08-10-2025 08:58 PM

@unclemoose 

Are you seeing events with eventtype=account_locked? If not, Make sure eventtype is saved in a visible app and permissions are set to global.

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

View solution in original post

Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎08-11-2025 02:49 AM

Hi @unclemoose 

Firstly, settings tags = authentication, failure, account_locked in your eventtypes.conf is deprecated, so you should probably remove this incase its causing an issue.

Secondly, I wanted to check is what search mode you are using, are you using Fast mode? If so you probably wont see the eventtypes/tag fields come back - Try running in Smart of Verbose mode - do you see the tags returned then?

Lastly, where are these files within your environment? Are they in a custom/specific app? Are you running the search from the same app as the app? Are the configurations shared globally with the system or only within its app?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎08-11-2025 02:35 AM

Apart from what has already been said about permissions, the question is what is your architecture? (all-in-one, separate indexing and search-head layer, any pre-parsing HFs?) And where did you put those props and transforms. And don't use indexed extractions unless there is absolutely no other way (not related to the problem at hand but worth remembering).

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-11-2025 12:11 AM

Hi @unclemoose ,

where are you running the eventtype search: in the same app where it was created or in another one?

check if your eventtype is visible also outside the app where it was created, probably you shared your eventtype at app level and not at global level.

check the permissions of the eventtype.

Ciao.

Giuseppe

Reply
Solved! Jump to solution
Solution

PrewinThomas
Motivator
‎08-10-2025 08:58 PM

@unclemoose 

Are you seeing events with eventtype=account_locked? If not, Make sure eventtype is saved in a visible app and permissions are set to global.

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply
Solved! Jump to solution

unclemoose
Engager
‎08-11-2025 11:29 AM

This lead me to the solution! I tried looking for eventtype=account_locked and got nothing. Turns out that my eventtypes were not global. Not only that but I needed to make a copy of my tags.conf in the search app instead of it being local to the app [logstream].

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...