Solved: Auditing Datamodels

zekiramhi · ‎02-15-2019

Hello,

Is there a way to validate the fields used in the datamodel by how compliant they are with the current setup?
I am trying to validate and fix data models to receive optimum results in the Splunk ES.

Any tips regarding the issue will be appreciated,
Thanks

lakshman239 · ‎02-15-2019

Would this help? https://docs.splunk.com/Documentation/ES/5.2.2/Admin/Dashboardrequirements

Also, for e.g. You can use | from datamodel "Authentication.Authentication" | fieldsummary for Authentication datamodel to check if all the datamodel fields are mapped and check the valued to see if they are related to your datasource.

View solution in original post

lakshman239 · ‎02-25-2019

if you are happy with the answers provided and/or your issue resolved, can you pls accept the response to close tracking on this?

zekiramhi · ‎02-26-2019

Sure, Sorry im new to Splunk Answers.

skalliger · ‎02-19-2019

There is also the function fieldsummary.

lakshman239 · ‎02-15-2019

Would this help? https://docs.splunk.com/Documentation/ES/5.2.2/Admin/Dashboardrequirements

Also, for e.g. You can use | from datamodel "Authentication.Authentication" | fieldsummary for Authentication datamodel to check if all the datamodel fields are mapped and check the valued to see if they are related to your datasource.

zekiramhi · ‎02-27-2019

Fantastic, Exactly what I needed. Thanks!

adonio · ‎02-15-2019

try this app
https://splunkbase.splunk.com/app/2968/

Auditing Datamodels

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?