Splunk Enterprise Security

Empty 'sourcetype' field in Authentication data model if tstats query used

Path Finder

Hello,

In order to detect excessive failed logins we use the correlation search below:

| tstats summariesonly=true allow_old_summaries=true values(Authentication.tag) as "tag", values(Authentication.user) as user, values(Authentication.sourcetype) as sourcetype, dc(Authentication.user) as "user_count",dc(Authentication.dest) as "dest_count",count from datamodel=Authentication.Authentication where nodename=Authentication.Failed_Authentication by "Authentication.app","Authentication.src"
| `drop_dm_object_name("Authentication")`
| where 'count'>=6

For some reason it does not return the values of sourcetype and tag fields, it stays empty. There is no issue with other fields like user and dest. A simple |from datammodel:Authentication... search returns all fields' values as well.

Do you have an idea what the issue is caused by and how it could be fixed?

Many thanks!

0 Karma
1 Solution

Path Finder

For the common default fields, you would not need to reference the dataset name. You can just use "values(sourcetype) as sourcetype". Same goes with _time, source, and host.

View solution in original post

Path Finder

For the common default fields, you would not need to reference the dataset name. You can just use "values(sourcetype) as sourcetype". Same goes with _time, source, and host.

View solution in original post

Path Finder

Great! Thanks for the help!

0 Karma