Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Issue on using event types as constraints for Data model

Zanusha443
Explorer
‎06-11-2024 10:50 AM

Hi,

I am working in a distributed environment with a SHC of 3 search heads and I am mapping vpn logs to fill certain datasets of my custom version of the Authentication data model (not accelerated for the moment).

The datasets I added to the default authentication Data Model are "Failed_Authentication","Successful_Authentication" and "Login_Attempt", as you can see below:


2024-06-11 18_55_22-Edit Objects_ Authentication _ Splunk 9.2.1.png

 

 

 

 

 

 

 

 

 

 

 

Then, I created an eventtype (with some associated tags) to match specific conditions for an authentication success, as shown below:

1eventtype.png

 

sourcetype=XX action=success signature IN ("Agent login","Login","Secondary authentication","Primary authentication") OR (signature="Session" AND action="success")

 

 

Then, I used the Eventtype as a constraint for the dataset "Authentication.Successful_Authentication" as shown below:

5.png

To test if the constraint is working or not:

  • I used the pivoting button offered by the GUI and it returns me some results!
  • I run in the search app the following SPL and it also returns some results: 

 

index=vpn* tag=authentication eventtype=auth_vpn_success​

 

 

However, if I try to retrieve the same information by using the following SPL (by using tstat), it returns no results:

 

 |tstats summariesonly=f count from datamodel=Authentication where nodename=Authentication.Successful_Authentication

 

Even by running another SPL(based on tstat) to retrieve the eventtypes of the Authentication Data Model it returns no results:

 

| tstats count from datamodel=Authentication  by eventtype

 

 

I tried to troubleshoot the issue with 2 different tests:

  1. Not using the field eventtypes as Dataset constraint. 
  2. Creating another eventtype and using a different Data Model (Change).

 

1) I created a dataset constraint for "Authentication.Failed_Authentication" which is not using either tag or eventtypes, as follow:

4-2auth-failureconstaint_dataset.png

 

action=failure

 

 

And both of the aforementioned tstats SPLs are working now!

 

2) I created another eventtype related to a change log type, as follow:

7.png

 

index=vpn* sourcetype=XX AND "User Accounts modified."

 

 

And I added it as a constraint  for the dataset "All_Changes.Account_Change" :

8.png

And by running the 2 aforementioned tstat SPLs  they return me some results!

 

In conclusion, I suspect there is an issue related to either the tag=authentication (maybe some conflict with other default apps?) or the Authentication Data Model (related to custom datasets I added?).

Do you have any clue of what I could have done wrong ? 

 

Kind Regard,

Z

 

Labels (3)
Labels
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...