Knowledge Management

Calculated Data Model Field Value Inaccessible

joeldavideng
Path Finder

I created a data model called "Process_Creation" with a calculated field that represents the length of a specific string in the modeled events called "command_line_length". I can display the correct values for each event using a table command with "Process_Creation.command_line_length", however that seems to be all I can do with the data model field. When I attempt to compare the value to any numerical value I get zero results no matter the comparison type.

The calculated field is stored as a number and the values are correct so I suspect the "where" command is not referencing the actual stored value. Any ideas?


| datamodel Process_Monitoring Process_Creation search
| eval threshold = [ | search index=summary "search_name=pm_command_line_length_stats" earliest=-90d@d latest=-1d@d | stats avg(command_line_length) AS command_line_average stdev(command_line_length) AS command_line_stdev
| eval threshold = round(command_line_average + ( command_line_stdev * 6 ))
| return $threshold ]
| where Process_Creation.command_line_length > threshold

0 Karma
1 Solution

joeldavideng
Path Finder

For anyone else with the same problem, it appears that doing comparisons against the actual value of a data model field requires you to use enclosing $s to get the value rather than the variable reference.

View solution in original post

joeldavideng
Path Finder

For anyone else with the same problem, it appears that doing comparisons against the actual value of a data model field requires you to use enclosing $s to get the value rather than the variable reference.

niketn
Legend

@joeldavideng, can you add the final query that worked for you in your answer as well?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

joeldavideng
Path Finder

Sure thing, it was very close to the original.


| datamodel Process_Monitoring Process_Creation search | eval threshold = [ | search index=summary "search_name=pm_command_line_length_stats" earliest=-90d@d latest=-1d@d | stats avg(command_line_length) AS command_line_average stdev(command_line_length) AS command_line_stdev | eval threshold = round(command_line_average + ( command_line_stdev * 6 )) | return $threshold ] | where $Process_Creation.command_line_length$ > threshold

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @joeldavideng,

To start diagnose the issue first try to search | datamodel Process_Monitoring Process_Creation search | where Process_Creation.command_line_length > 0 are you getting any result ?

0 Karma

joeldavideng
Path Finder

Performing that query threw a type error "Typechecking failed. The '>' operator received different types" which would indicate that the value is stored as the wrong type. I checked the data model and that field is explicitly set as a number. Is there an implicit cast when you reference the data model?

0 Karma

joeldavideng
Path Finder

I randomly decided to try adding some $'s to the field to see if I could extract the value of the field and it worked.


| datamodel Process_Monitoring Process_Creation search | where $Process_Creation.command_line_length$ > 100

I guess the calculated fields in a data model behave differently than adhoc fields calculated at search time in a query.

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...