Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Authentication tag not being applied

unclemoose
Engager
‎08-10-2025 03:12 PM

I am trying to learn SIEM tech and am at the stage where im trying to use/setup Splunk CIM. My pipeline uses fake logs and I am trying to get them to show up with the Authentication data model. However it seems like the authentication tag is not being applied. 

(files shortened )
My eventtypes.conf:
[account_locked]

search = sourcetype="logstream" action="failure" signature="Account locked"
tags = authentication, failure, account_locked

My tags.conf:
[eventtype=account_locked]
authentication = enabled
failure = enabled
account_locked = enabled

and my props.conf:

[logstream]
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%:z
TIME_PREFIX = "\"_time\": \"""
MAX_TIMESTAMP_LOOKAHEAD = 30
INDEXED_EXTRACTIONS = json


FIELDALIAS-src_user_for_user = user AS src_user
FIELDALIAS-src_for_src = src AS src
FIELDALIAS-dest_for_dest = dest AS dest
FIELDALIAS-app_for_app = app AS app
FIELDALIAS-dest_for_dest = dest AS dest    
Now what is really stumping me here is that no event types are being recognized. However, if I search for those logs by doing the command I used for the event type,  I get the results and logs I am looking for:

search = sourcetype="logstream" action="failure" signature="Account locked"


A couple of things I confirmed:

- HEC token is correct
- The Field Aliases are compliant with the  Authentication Data Model 


Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PrewinThomas
Motivator
a month ago

@unclemoose 

Are you seeing events with eventtype=account_locked? If not, Make sure eventtype is saved in a visible app and permissions are set to global.

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

View solution in original post

Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
a month ago

Hi @unclemoose 

Firstly, settings tags = authentication, failure, account_locked in your eventtypes.conf is deprecated, so you should probably remove this incase its causing an issue.

Secondly, I wanted to check is what search mode you are using, are you using Fast mode? If so you probably wont see the eventtypes/tag fields come back - Try running in Smart of Verbose mode - do you see the tags returned then?

Lastly, where are these files within your environment? Are they in a custom/specific app? Are you running the search from the same app as the app? Are the configurations shared globally with the system or only within its app?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
a month ago

Apart from what has already been said about permissions, the question is what is your architecture? (all-in-one, separate indexing and search-head layer, any pre-parsing HFs?) And where did you put those props and transforms. And don't use indexed extractions unless there is absolutely no other way (not related to the problem at hand but worth remembering).

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
a month ago

Hi @unclemoose ,

where are you running the eventtype search: in the same app where it was created or in another one?

check if your eventtype is visible also outside the app where it was created, probably you shared your eventtype at app level and not at global level.

check the permissions of the eventtype.

Ciao.

Giuseppe

Reply
Solved! Jump to solution
Solution

PrewinThomas
Motivator
a month ago

@unclemoose 

Are you seeing events with eventtype=account_locked? If not, Make sure eventtype is saved in a visible app and permissions are set to global.

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply
Solved! Jump to solution

unclemoose
Engager
a month ago

This lead me to the solution! I tried looking for eventtype=account_locked and got nothing. Turns out that my eventtypes were not global. Not only that but I needed to make a copy of my tags.conf in the search app instead of it being local to the app [logstream].

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...