Reporting

How to extract new fields from a datamodel without deaccelearting it?

Path Finder

Hi All,

I have a datamodel "Authentication". This datamodel is already been accelerated.I require two more fields to be extracted from this datamodel. I have used the below query for excessive logins but does not seems to give results. Please advice.

| from datamodel:"Authentication"."Failed_Authentication"
| rex field=_raw "Result Code:\s+(?.*)"
| rex field=_raw "EventCode=(?\d+)"
| search 'event_code'=4768 AND 'result_code'=0x17
| stats dc(dest) as "dest_count",dc(user) as "user_count" ,count by "app","user"

0 Karma
1 Solution

SplunkTrust
SplunkTrust

One cannot add fields to a datamodel while it is accelerated. The UI should make that clear.

It is possible to extract additional fields from those returned by a data model. I'm unaware, however, of any datamodel that produces a field called "_raw".

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

One cannot add fields to a datamodel while it is accelerated. The UI should make that clear.

It is possible to extract additional fields from those returned by a data model. I'm unaware, however, of any datamodel that produces a field called "_raw".

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma