Knowledge Management

CIM Mapping issue

aknsun
Path Finder

Hi,
I'm doing CIM Mapping and the data I have is from Dynatrace. It's JSON format.

I had to do Field Extraction to get a field that would map to the action field in the Authentication Data Model. The problem with this specific field is that it comes as follows in the data:

"Success: True"
"Success: False"

Now I want to make this as

"Success: True" -> Success
"Success: False" -> Failure

I managed to do that with Tags.

However, I cannot get this to show up as Success & Failure when doing the Pivot as the action field show up with "Success: True" & "Success: False" values.

Any suggestion on how to work around this issue?

Thanks,
AKN

Labels (1)
Tags (2)
0 Karma
1 Solution

nickhills
Ultra Champion

The data model looks at the value of the field "action"
The first thing you should to is extract the value of Success. If your data is well formed json may already the case.
If you need to manually extract it the following should work "Success: (?P<success>\w+)"

Finally, eval the value of 'success' to 'action'
|eval action=case(like(success, "True"), "success", like(success, "False"), "failure", 1=1, "unknown")
Or better yet, create it as a calculated field.

If my comment helps, please give it a thumbs up!

View solution in original post

aknsun
Path Finder

Have one more issue with extraction of https status code. Stuck with this issue.

In most cases it picks up 200, but in other events it tends to pick 70 when position changes. Sample events with data masked.

10...* - - [20/Feb/2020:17:00:57 +1000] "GET abcd********* / HTTP/1.1" 200 75666
10...* - - [20/Feb/2020:17:00:57 +1000] "GET abcd*********" 200 70

0 Karma

nickhills
Ultra Champion

The data model looks at the value of the field "action"
The first thing you should to is extract the value of Success. If your data is well formed json may already the case.
If you need to manually extract it the following should work "Success: (?P<success>\w+)"

Finally, eval the value of 'success' to 'action'
|eval action=case(like(success, "True"), "success", like(success, "False"), "failure", 1=1, "unknown")
Or better yet, create it as a calculated field.

If my comment helps, please give it a thumbs up!

aknsun
Path Finder

@nickhillscpl. Thanks for the suggestion. It worked.

Thanks,
AKN

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...