Reporting

C.I.M Authentication Data Model acceleration not accelerating action=success events

guarisma
Contributor

My |datamodel Authentication search | search Authentication.action=success works as expected and finds thousands of events correctly, but when I try |tstats count from datamodel=Authentication by Authentication.action I only find failures and unknowns, and no successes.

I see the constraint ('cim_Authentication_indexes') tag=authentication NOT (action=success user=*$) an ran a search like that and was also able to see action=success events, so I don't know what's going on.

What's wrong with the acceleration? Why I can't find any Authentication.action=success events?

Datamodel

tstas

0 Karma

DavidHourani
Super Champion

Hi @guarisma,

When running |datamodel Authentication search | stats count by Authentication.action it the equivalent of querying ('cim_Authentication_indexes') tag=authentication NOT (action=success user=*$) with your user's permissions.

When you run : |tstats count from datamodel=Authentication by Authentication.action you are reading the data from within the data model that can be running with other permission and reading other indices. Could you please confirm that both you and the DM owner user have the same permissions ?

Cheers,
David

0 Karma

guarisma
Contributor

Yes, same permissions
All Apps, full read and write

0 Karma

nvanderwalt_spl
Splunk Employee
Splunk Employee

Are the events all coming from data extracted by a single app/TA? If so, make sure that the app is imported into ES (if it is an ES search head), and make sure the permission on the app and KO are correct.

0 Karma

guarisma
Contributor

Hello,
My client is not using Enterprise Security (ES).
We are developing an application with a few dashboards using the CIM Data Models.
All the Fields extractions and calculations are working fine from their own TA/Splunk_TA but when accelerated the summary indices are not collection events with action=success.

0 Karma

skalliger
SplunkTrust
SplunkTrust

Did you try a | tstats summariesonly=false count from datamodel=Authentication by Authentication.action?
On the other hand, (action=success has a logical AND condition between user=*$).

Skalli

0 Karma

guarisma
Contributor

Yup, summariesonly=false doesn't help
Also yes, it's an AND, as I said, using the constraint directly on the search works perfect and I'm able to find events with action=success. I don't know why the acceleration would replace the success with unknowns, without acceleration it works fine.

0 Karma

johnvr
Path Finder

If summariesonly=false doesn't produce results, then the problem isn't the acceleration, it's that the data's probably not normalized properly. There's no data to accelerate.

Try running "cim_Authentication_indexes tag=authentication | stats values(action)" - is "success" one of the listed values?

0 Karma

guarisma
Contributor

That works fine.
When the DM is not accelerated I can find action=success, but if accelerated I can only find action=failure or action=unknown, for some reason the field calculation for the action field in the DM ignores all the action=success and rewrite them as unknown.

0 Karma

mattcosa
Explorer

Hi there - having the same problem with my accelerated data in ES.

Success is listed as a value when I search cim_Authentication_indexes tag=authentication | stats values(action).

Not sure what's happening!

koshyk
Super Champion

Are you sure your tstats have access to all Indexes? Sometimes, you may have whitelisted only specific indexes in your CIM

0 Karma

guarisma
Contributor

Yes, permissions is not an issue.
Have you tried reproducing this issue?
It only happens when acceleration is checked on the Data model

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.