C.I.M Authentication Data Model acceleration not a...

guarisma · ‎04-15-2019

My |datamodel Authentication search | search Authentication.action=success works as expected and finds thousands of events correctly, but when I try |tstats count from datamodel=Authentication by Authentication.action I only find failures and unknowns, and no successes.

I see the constraint ('cim_Authentication_indexes') tag=authentication NOT (action=success user=*$) an ran a search like that and was also able to see action=success events, so I don't know what's going on.

What's wrong with the acceleration? Why I can't find any Authentication.action=success events?

Datamodel

tstas

DavidHourani · ‎05-03-2019

Hi @guarisma,

When running |datamodel Authentication search | stats count by Authentication.action it the equivalent of querying ('cim_Authentication_indexes') tag=authentication NOT (action=success user=*$) with your user's permissions.

When you run : |tstats count from datamodel=Authentication by Authentication.action you are reading the data from within the data model that can be running with other permission and reading other indices. Could you please confirm that both you and the DM owner user have the same permissions ?

Cheers,
David

guarisma · ‎05-03-2019

Yes, same permissions
All Apps, full read and write

nvanderwalt_spl · ‎04-29-2019

Are the events all coming from data extracted by a single app/TA? If so, make sure that the app is imported into ES (if it is an ES search head), and make sure the permission on the app and KO are correct.

guarisma · ‎05-02-2019

Hello,
My client is not using Enterprise Security (ES).
We are developing an application with a few dashboards using the CIM Data Models.
All the Fields extractions and calculations are working fine from their own TA/Splunk_TA but when accelerated the summary indices are not collection events with action=success.

skalliger · ‎04-17-2019

Did you try a | tstats summariesonly=false count from datamodel=Authentication by Authentication.action?
On the other hand, (action=success has a logical AND condition between user=*$).

Skalli

guarisma · ‎04-17-2019

Yup, summariesonly=false doesn't help
Also yes, it's an AND, as I said, using the constraint directly on the search works perfect and I'm able to find events with action=success. I don't know why the acceleration would replace the success with unknowns, without acceleration it works fine.

johnvr · ‎04-17-2019

If summariesonly=false doesn't produce results, then the problem isn't the acceleration, it's that the data's probably not normalized properly. There's no data to accelerate.

Try running "cim_Authentication_indexes tag=authentication | stats values(action)" - is "success" one of the listed values?

guarisma · ‎04-22-2019

That works fine.
When the DM is not accelerated I can find action=success, but if accelerated I can only find action=failure or action=unknown, for some reason the field calculation for the action field in the DM ignores all the action=success and rewrite them as unknown.

mattcosa · ‎05-01-2019

Hi there - having the same problem with my accelerated data in ES.

Success is listed as a value when I search cim_Authentication_indexes tag=authentication | stats values(action).

Not sure what's happening!

koshyk · ‎05-02-2019

Are you sure your tstats have access to all Indexes? Sometimes, you may have whitelisted only specific indexes in your CIM

guarisma · ‎06-06-2019

Yes, permissions is not an issue.
Have you tried reproducing this issue?
It only happens when acceleration is checked on the Data model

C.I.M Authentication Data Model acceleration not accelerating action=success events

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...