Other Usage
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

cim vladiator % DM coverage

dm2
Explorer
‎02-06-2024 01:21 AM

Hi, 

I installed SA_CIM_Vladiator and when running % checks to see DM coverage I do see gaps between extracted fields or fields that are found on specific indexes and the app does not return them in the results

dm2_0-1707210588459.pngdm2_1-1707210607811.png

 

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
a week ago

Remember that not all of events from a particular index must match your datamodel.

A datamodel definition specifies constraints which events must meet in order to be a part of the root dataset. In case of CIM datamodels this is based on tags. In case of Intrusion Detection datamodel you need two tags for your event - ids and attack. So if you want to check the coverage for the raw data, you need to search for those two tags.

index=whatever_index_you're_using tag=ids tag=attack
0 Karma
Reply

dm2
Explorer
‎02-06-2024 01:43 AM

yes, if I run a search index=imperva I do see all the fields

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-06-2024 03:12 AM

Hi @dm2,

if you run this search in the SA-CIM_vladiator app, do you see fields?

if not (as I understood) you have to share them at Global level.

The app leval shared fields are visible only inside the app where they are created.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-06-2024 01:40 AM

Hi @dm2,

are these fields shared at app or Global level?

they must be at Global level to be viewed in this ad in the other apps.

Ciao.

Giuseppe

0 Karma
Reply

splunkreal
Motivator
a week ago

Hi @gcusello  same issue here but we can't share all fields globally just for cim vladiator, is there any solution? 

Thanks!

* If this helps, please upvote or accept solution if it solved *
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...