Splunk Enterprise Security

CIM Field Values- Do field values have to be consistent for ES or doesn't it matter?

R00ster
Engager

Hello

Do field values have to be consistent for ES or doesn't it matter?  So in the wineventlog if src is sometimes the IP and other times the fqdn does ES care?  Same with the user field, if sometimes the field value is bob@domain or domain-bob or bob$ does it matter?

Thanks

R00ster

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

CIM focuses on field names and completely ignores the values.

As for whether or not ES cares, that depends on how the field is used.  Attempting to correlate source addresses in events will be a challenge if some events contain IP addresses and others contain FQDNs, for example.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

CIM focuses on field names and completely ignores the values.

As for whether or not ES cares, that depends on how the field is used.  Attempting to correlate source addresses in events will be a challenge if some events contain IP addresses and others contain FQDNs, for example.

---
If this reply helps you, Karma would be appreciated.
0 Karma

R00ster
Engager

Fab thanks very much for confirming, very helpful indeed.

Tags (1)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...