Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue on using event types as constraints for Data model

Zanusha443
Explorer
‎06-11-2024 10:50 AM

Hi,

I am working in a distributed environment with a SHC of 3 search heads and I am mapping vpn logs to fill certain datasets of my custom version of the Authentication data model (not accelerated for the moment).

The datasets I added to the default authentication Data Model are "Failed_Authentication","Successful_Authentication" and "Login_Attempt", as you can see below:


2024-06-11 18_55_22-Edit Objects_ Authentication _ Splunk 9.2.1.png

 

 

 

 

 

 

 

 

 

 

 

Then, I created an eventtype (with some associated tags) to match specific conditions for an authentication success, as shown below:

1eventtype.png

 

sourcetype=XX action=success signature IN ("Agent login","Login","Secondary authentication","Primary authentication") OR (signature="Session" AND action="success")

 

 

Then, I used the Eventtype as a constraint for the dataset "Authentication.Successful_Authentication" as shown below:

5.png

To test if the constraint is working or not:

  • I used the pivoting button offered by the GUI and it returns me some results!
  • I run in the search app the following SPL and it also returns some results: 

 

index=vpn* tag=authentication eventtype=auth_vpn_success​

 

 

However, if I try to retrieve the same information by using the following SPL (by using tstat), it returns no results:

 

 |tstats summariesonly=f count from datamodel=Authentication where nodename=Authentication.Successful_Authentication

 

Even by running another SPL(based on tstat) to retrieve the eventtypes of the Authentication Data Model it returns no results:

 

| tstats count from datamodel=Authentication  by eventtype

 

 

I tried to troubleshoot the issue with 2 different tests:

  1. Not using the field eventtypes as Dataset constraint. 
  2. Creating another eventtype and using a different Data Model (Change).

 

1) I created a dataset constraint for "Authentication.Failed_Authentication" which is not using either tag or eventtypes, as follow:

4-2auth-failureconstaint_dataset.png

 

action=failure

 

 

And both of the aforementioned tstats SPLs are working now!

 

2) I created another eventtype related to a change log type, as follow:

7.png

 

index=vpn* sourcetype=XX AND "User Accounts modified."

 

 

And I added it as a constraint  for the dataset "All_Changes.Account_Change" :

8.png

And by running the 2 aforementioned tstat SPLs  they return me some results!

 

In conclusion, I suspect there is an issue related to either the tag=authentication (maybe some conflict with other default apps?) or the Authentication Data Model (related to custom datasets I added?).

Do you have any clue of what I could have done wrong ? 

 

Kind Regard,

Z

 

Labels (3)
Labels
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...

The same scenario plays out across financial institutions daily. A payment system fails at 11:30 AM on a busy ...

Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25

Hello Splunkers, Want to attend .conf25 in Boston this year but not sure how to convince your manager? We've ...

Community Spotlight: A Splunk Expert's Journey

In the world of data analytics, some journeys leave a lasting impact not only on the individual but on the ...
Top