Solved: Add result of eval to datamodel field

tiaatim · ‎07-22-2020

I have a search that evals out a calculation from other fields to a "Duration" field for netflow data. Is there a way to populate duration in the network traffic datamodel with the results of the calculation? It currently has firewall data in it but I'd like to add netflow as well.

Thanks!

richgalloway · ‎07-22-2020

Searches can't modify data models. You can, however, add a calculated field to the DM.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎07-22-2020

Searches can't modify data models. You can, however, add a calculated field to the DM.

---
If this reply helps you, Karma would be appreciated.

tiaatim · ‎07-22-2020

I was thinking about that, but the field already exists in the DM though so I don't want to modify how it is populated for our firewall logs. If I turned that field into a calculated field then the existing duration value in the FW data would be lost and wouldn't populate the field with fw logs right?

richgalloway · ‎07-22-2020

That's true if you use the same name for two fields. Workaround is to use a different name for the netflow field.

---
If this reply helps you, Karma would be appreciated.

tiaatim · ‎07-22-2020

I thought about that too but then the datamodel wouldn't populate and the data wouldn't be CIM compliant.

Add result of eval to datamodel field

using Enterprise Security

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...