- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- CIM: event goes to node All_Changes instead of All...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CIM: event goes to node All_Changes instead of All_Changes.Endpoint_Changes
Hi,
I want to see my data in the ES dashboard Security Domains -> Endpoint -> Endpoint Changes.
I created the following things:
props.conf with CIM compliant field aliases.
eventtypes.conf
[MyEventType]
search = index=MyIndex sourcetype=MySourcetype
tags.conf
[eventtype=MyEventType]
change=enabled
endpoint=enabledI can successfully search the events with tag=change and tag=endpoint. I can also successfully search the data with the data model constraint (`cim_Change_indexes`) tag=change NOT (object_category=file OR object_category=directory OR object_category=registry) tag=endpoint.
However, the dashboard stays empty. When I manually execute one of the dashboard searches | `tstats` append=T count from datamodel=Change.All_Changes where nodename="All_Changes.Endpoint_Changes" I get not results. When I change nodename="All_Changes.Endpoint_Changes" to nodename="All_Changes" I see my events.
So the question is, what do I need to do to get my events in the node All_Changes.Endpoint_Changes?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@dominikatvastli - Perhaps this could help, to understand the dependency on the datamodel for each dashboard. https://docs.splunk.com/Documentation/ES/6.6.0/Admin/Dashboardrequirements . You normally don't need to include the index=MyIndex in your eventtypes.conf, sourcetype alone will do, unless you want the index. Also, I assume the index is added to the Spunk_SA_CIM/local/macros.conf for cim_Change_indexes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @dominikatvastli ,
Can you try with this instead:
| tstats allow_old_summaries=t append=T count from datamodel=Change.All_Changes where nodename="All_Changes.Endpoint_Changes"
Let me know if this helps.
S
***If this helped, please accept it as a solution. It helps others to find the solution for similar issues quickly.***
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
