Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Data model not picking up field alias
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Data model not picking up field alias
I have installed the Suricata TA on my Splunk box. I am verifying that the data is flowing into the Intrusion Detection data model correctly.
The Suricata TA has the following field alias:
FIELDALIAS-suricata_global = proto AS transport src_ip AS src dest_ip AS dest
The following search shows the values of the "src" field correctly, but the "dest" field has thousands of events where "dest" is "unknown":
| datamodel Intrusion_Detection Network_IDS_Attacks search
But if I run this search on the raw events, I only see events that don't have the "dest" field in them:
sourcetype=suricata NOT dest=*
Can anyone think of a reason why two fields defined in the same FIELDALIAS- command would only have one of them populate with the values correctly? Both the src_ip and dest_ip fields are in the events, but the data model can't see the values for dest/dest_ip for some reason...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know its an old post but i had the same problem-
Solution was that i extracted all my fields using a delims transforms on a dedicated field extraction (basically the _raw event without header data). Now the datamodel was not aware of the underlying field extraction. Adding it as a field of the datamodel did the trick and all other fields showed up.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is alias' permission global?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I should also add that when I ran | datamodel Certificates search, the dest field is populating properly in that datamodel.
Neither datamodel is accelerated yet.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same problem Suricata 2.3.3:
FIELDALIAS-suricata_global = proto AS transport src_ip AS src dest_ip AS dest
The alias is not adding dest to the logs that are tagged with tag=attack OR tag=ids.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
