Splunk Enterprise Security

Auditing Datamodels

zekiramhi
Path Finder

Hello,

Is there a way to validate the fields used in the datamodel by how compliant they are with the current setup?
I am trying to validate and fix data models to receive optimum results in the Splunk ES.

Any tips regarding the issue will be appreciated,
Thanks

0 Karma
1 Solution

lakshman239
SplunkTrust
SplunkTrust

Would this help? https://docs.splunk.com/Documentation/ES/5.2.2/Admin/Dashboardrequirements

Also, for e.g. You can use | from datamodel "Authentication.Authentication" | fieldsummary for Authentication datamodel to check if all the datamodel fields are mapped and check the valued to see if they are related to your datasource.

View solution in original post

lakshman239
SplunkTrust
SplunkTrust

if you are happy with the answers provided and/or your issue resolved, can you pls accept the response to close tracking on this?

0 Karma

zekiramhi
Path Finder

Sure, Sorry im new to Splunk Answers.

0 Karma

skalliger
SplunkTrust
SplunkTrust

There is also the function fieldsummary.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Would this help? https://docs.splunk.com/Documentation/ES/5.2.2/Admin/Dashboardrequirements

Also, for e.g. You can use | from datamodel "Authentication.Authentication" | fieldsummary for Authentication datamodel to check if all the datamodel fields are mapped and check the valued to see if they are related to your datasource.

View solution in original post

zekiramhi
Path Finder

Fantastic, Exactly what I needed. Thanks!

0 Karma

adonio
SplunkTrust
SplunkTrust
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!