Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Malware_attacks dataset is not showing event under Malware Datamodel

rashid47010
Communicator
‎05-18-2019 01:16 PM

Dear Experts,

there are no events for "Malware"."Malware_attacks".

tags and eventtypes seems fine
but there are no events when I select
tag=malware in the search.

how can I troubleshoot Malware Datamodel issue.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-21-2019 03:47 AM

Ok, there are few moving parts for displaying the tags

  1. Splunk CIM => https://docs.splunk.com/Documentation/CIM/4.13.0/User/Malware
  2. The Addon/TA which contains logic to extract the tags
  3. Your data/sourcetype

You need all of the above for the tag to show properly. So inorder to debug
a. Ensure your data/sourcetype contains malware type of events. Check if this sourcetype is used by the relevant Addon/TA
b. Go into the TA and check for props.conf, transforms.conf, eventtypes.conf & tags.conf. See if they are extracting properly from your data. Test this in DEV
c. If (a) and (b) is all good, then ensure your CIM app/addon is correct version.
d. Check for datamodels and its acceleration

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-21-2019 03:47 AM

Ok, there are few moving parts for displaying the tags

  1. Splunk CIM => https://docs.splunk.com/Documentation/CIM/4.13.0/User/Malware
  2. The Addon/TA which contains logic to extract the tags
  3. Your data/sourcetype

You need all of the above for the tag to show properly. So inorder to debug
a. Ensure your data/sourcetype contains malware type of events. Check if this sourcetype is used by the relevant Addon/TA
b. Go into the TA and check for props.conf, transforms.conf, eventtypes.conf & tags.conf. See if they are extracting properly from your data. Test this in DEV
c. If (a) and (b) is all good, then ensure your CIM app/addon is correct version.
d. Check for datamodels and its acceleration

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...