Knowledge Management

Issue on using event types as constraints for Data model

Zanusha443
Explorer

Hi,

I am working in a distributed environment with a SHC of 3 search heads and I am mapping vpn logs to fill certain datasets of my custom version of the Authentication data model (not accelerated for the moment).

The datasets I added to the default authentication Data Model are "Failed_Authentication","Successful_Authentication" and "Login_Attempt", as you can see below:


2024-06-11 18_55_22-Edit Objects_ Authentication _ Splunk 9.2.1.png

 

 

 

 

 

 

 

 

 

 

 

Then, I created an eventtype (with some associated tags) to match specific conditions for an authentication success, as shown below:

1eventtype.png

 

sourcetype=XX action=success signature IN ("Agent login","Login","Secondary authentication","Primary authentication") OR (signature="Session" AND action="success")

 

 

Then, I used the Eventtype as a constraint for the dataset "Authentication.Successful_Authentication" as shown below:

5.png

To test if the constraint is working or not:

  • I used the pivoting button offered by the GUI and it returns me some results!
  • I run in the search app the following SPL and it also returns some results: 

 

index=vpn* tag=authentication eventtype=auth_vpn_success​

 

 

However, if I try to retrieve the same information by using the following SPL (by using tstat), it returns no results:

 

 |tstats summariesonly=f count from datamodel=Authentication where nodename=Authentication.Successful_Authentication

 

Even by running another SPL(based on tstat) to retrieve the eventtypes of the Authentication Data Model it returns no results:

 

| tstats count from datamodel=Authentication  by eventtype

 

 

I tried to troubleshoot the issue with 2 different tests:

  1. Not using the field eventtypes as Dataset constraint. 
  2. Creating another eventtype and using a different Data Model (Change).

 

1) I created a dataset constraint for "Authentication.Failed_Authentication" which is not using either tag or eventtypes, as follow:

4-2auth-failureconstaint_dataset.png

 

action=failure

 

 

And both of the aforementioned tstats SPLs are working now!

 

2) I created another eventtype related to a change log type, as follow:

7.png

 

index=vpn* sourcetype=XX AND "User Accounts modified."

 

 

And I added it as a constraint  for the dataset "All_Changes.Account_Change" :

8.png

And by running the 2 aforementioned tstat SPLs  they return me some results!

 

In conclusion, I suspect there is an issue related to either the tag=authentication (maybe some conflict with other default apps?) or the Authentication Data Model (related to custom datasets I added?).

Do you have any clue of what I could have done wrong ? 

 

Kind Regard,

Z

 

Labels (3)
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...