Reporting

C.I.M Authentication Data Model acceleration not accelerating action=success events

Communicator

My |datamodel Authentication search | search Authentication.action=success works as expected and finds thousands of events correctly, but when I try |tstats count from datamodel=Authentication by Authentication.action I only find failures and unknowns, and no successes.

I see the constraint ('cim_Authentication_indexes') tag=authentication NOT (action=success user=*$) an ran a search like that and was also able to see action=success events, so I don't know what's going on.

What's wrong with the acceleration? Why I can't find any Authentication.action=success events?

Datamodel

tstas

0 Karma

Super Champion

Hi @guarisma,

When running |datamodel Authentication search | stats count by Authentication.action it the equivalent of querying ('cim_Authentication_indexes') tag=authentication NOT (action=success user=*$) with your user's permissions.

When you run : |tstats count from datamodel=Authentication by Authentication.action you are reading the data from within the data model that can be running with other permission and reading other indices. Could you please confirm that both you and the DM owner user have the same permissions ?

Cheers,
David

0 Karma

Communicator

Yes, same permissions
All Apps, full read and write

0 Karma

Splunk Employee
Splunk Employee

Are the events all coming from data extracted by a single app/TA? If so, make sure that the app is imported into ES (if it is an ES search head), and make sure the permission on the app and KO are correct.

0 Karma

Communicator

Hello,
My client is not using Enterprise Security (ES).
We are developing an application with a few dashboards using the CIM Data Models.
All the Fields extractions and calculations are working fine from their own TA/Splunk_TA but when accelerated the summary indices are not collection events with action=success.

0 Karma

SplunkTrust
SplunkTrust

Did you try a | tstats summariesonly=false count from datamodel=Authentication by Authentication.action?
On the other hand, (action=success has a logical AND condition between user=*$).

Skalli

0 Karma

Communicator

Yup, summariesonly=false doesn't help
Also yes, it's an AND, as I said, using the constraint directly on the search works perfect and I'm able to find events with action=success. I don't know why the acceleration would replace the success with unknowns, without acceleration it works fine.

0 Karma

Path Finder

If summariesonly=false doesn't produce results, then the problem isn't the acceleration, it's that the data's probably not normalized properly. There's no data to accelerate.

Try running "cim_Authentication_indexes tag=authentication | stats values(action)" - is "success" one of the listed values?

0 Karma

Communicator

That works fine.
When the DM is not accelerated I can find action=success, but if accelerated I can only find action=failure or action=unknown, for some reason the field calculation for the action field in the DM ignores all the action=success and rewrite them as unknown.

0 Karma

Explorer

Hi there - having the same problem with my accelerated data in ES.

Success is listed as a value when I search cim_Authentication_indexes tag=authentication | stats values(action).

Not sure what's happening!

Super Champion

Are you sure your tstats have access to all Indexes? Sometimes, you may have whitelisted only specific indexes in your CIM

0 Karma

Communicator

Yes, permissions is not an issue.
Have you tried reproducing this issue?
It only happens when acceleration is checked on the Data model

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!