ES 3.3 Data nodels showing Unknown values

masiddiqu · ‎05-16-2015

Hi,
I have two index node cluster and one dedicated search head for ES APP. installed Splunk_TA for cisco ASA on the forwarders, indexers and search head . we are able to index the data with sourcetype=cisco:asa.

When we search the data with search app we are able to get all the fields properly including the TAGs required for ES APP. (Ex: src, dst, network etc)

but when we open with data models in the ES APP, most of the fields are showing unknown value. how to troubleshoot this

siddiqu.T

esix_splunk · ‎05-22-2015

If ES loaded the data into the data models before you installed the splunk_TA_cisco-asa on the ES Search Head, these values will show as unknown.

You need to rebuild the data model for this to be corrected.

You should browse the data model and confirm that the data is tagged correctly however. Follow the ES documentation based on your datamodel and dashboard :

http://docs.splunk.com/Documentation/ES/3.1.1/User/AdditionalNetworkdashboards
http://docs.splunk.com/Documentation/CIM/latest/User/Howtousethesereferencetables

mdessus_splunk · ‎05-22-2015

Hello, when you do a search from the ES app, do you saw also the tags and the normalized data from the TA ?

ES 3.3 Data nodels showing Unknown values

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?