Solved: Empty 'sourcetype' field in Authentication data mo...

woodentree · ‎02-03-2020

Hello,

In order to detect excessive failed logins we use the correlation search below:

| tstats summariesonly=true allow_old_summaries=true values(Authentication.tag) as "tag", values(Authentication.user) as user, values(Authentication.sourcetype) as sourcetype, dc(Authentication.user) as "user_count",dc(Authentication.dest) as "dest_count",count from datamodel=Authentication.Authentication where nodename=Authentication.Failed_Authentication by "Authentication.app","Authentication.src"
| `drop_dm_object_name("Authentication")`
| where 'count'>=6

For some reason it does not return the values of sourcetype and tag fields, it stays empty. There is no issue with other fields like user and dest. A simple |from datammodel:Authentication... search returns all fields' values as well.

Do you have an idea what the issue is caused by and how it could be fixed?

Many thanks!

begleyj1 · ‎02-03-2020

For the common default fields, you would not need to reference the dataset name. You can just use "values(sourcetype) as sourcetype". Same goes with _time, source, and host.

View solution in original post

begleyj1 · ‎02-03-2020

For the common default fields, you would not need to reference the dataset name. You can just use "values(sourcetype) as sourcetype". Same goes with _time, source, and host.

woodentree · ‎02-03-2020

Great! Thanks for the help!

Empty 'sourcetype' field in Authentication data model if tstats query used

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann