Reporting
Highlighted

C.I.M Authentication Data Model acceleration not accelerating action=success events

Communicator

My |datamodel Authentication search | search Authentication.action=success works as expected and finds thousands of events correctly, but when I try |tstats count from datamodel=Authentication by Authentication.action I only find failures and unknowns, and no successes.

I see the constraint ('cim_Authentication_indexes') tag=authentication NOT (action=success user=*$) an ran a search like that and was also able to see action=success events, so I don't know what's going on.

What's wrong with the acceleration? Why I can't find any Authentication.action=success events?

Datamodel

tstas

0 Karma
Highlighted

Re: C.I.M Authentication Data Model acceleration not accelerating action=success events

SplunkTrust
SplunkTrust

Did you try a | tstats summariesonly=false count from datamodel=Authentication by Authentication.action?
On the other hand, (action=success has a logical AND condition between user=*$).

Skalli

0 Karma
Highlighted

Re: C.I.M Authentication Data Model acceleration not accelerating action=success events

Communicator

Yup, summariesonly=false doesn't help
Also yes, it's an AND, as I said, using the constraint directly on the search works perfect and I'm able to find events with action=success. I don't know why the acceleration would replace the success with unknowns, without acceleration it works fine.

0 Karma
Highlighted

Re: C.I.M Authentication Data Model acceleration not accelerating action=success events

Path Finder

If summariesonly=false doesn't produce results, then the problem isn't the acceleration, it's that the data's probably not normalized properly. There's no data to accelerate.

Try running "cim_Authentication_indexes tag=authentication | stats values(action)" - is "success" one of the listed values?

0 Karma
Highlighted

Re: C.I.M Authentication Data Model acceleration not accelerating action=success events

Communicator

That works fine.
When the DM is not accelerated I can find action=success, but if accelerated I can only find action=failure or action=unknown, for some reason the field calculation for the action field in the DM ignores all the action=success and rewrite them as unknown.

0 Karma
Highlighted

Re: C.I.M Authentication Data Model acceleration not accelerating action=success events

Explorer

Hi there - having the same problem with my accelerated data in ES.

Success is listed as a value when I search cim_Authentication_indexes tag=authentication | stats values(action).

Not sure what's happening!

Highlighted

Re: C.I.M Authentication Data Model acceleration not accelerating action=success events

Super Champion

Are you sure your tstats have access to all Indexes? Sometimes, you may have whitelisted only specific indexes in your CIM

0 Karma
Highlighted

Re: C.I.M Authentication Data Model acceleration not accelerating action=success events

Communicator

Yes, permissions is not an issue.
Have you tried reproducing this issue?
It only happens when acceleration is checked on the Data model

0 Karma
Highlighted

Re: C.I.M Authentication Data Model acceleration not accelerating action=success events

Splunk Employee
Splunk Employee

Are the events all coming from data extracted by a single app/TA? If so, make sure that the app is imported into ES (if it is an ES search head), and make sure the permission on the app and KO are correct.

0 Karma
Highlighted

Re: C.I.M Authentication Data Model acceleration not accelerating action=success events

Communicator

Hello,
My client is not using Enterprise Security (ES).
We are developing an application with a few dashboards using the CIM Data Models.
All the Fields extractions and calculations are working fine from their own TA/Splunk_TA but when accelerated the summary indices are not collection events with action=success.

0 Karma