Splunk Enterprise Security

Enterprise Search: What are the Recommended Fields?

Motivator

The SA-cim-validator displays the recommended fields while the official documentation at Common Information Model Add-on Manual doesn't refers to them.

We wonder what they are and why the official documentation doesn't refer to them.

0 Karma

Splunk Employee
Splunk Employee

The upcoming version of the documentation does refer to it. I'll keep you posted 🙂

Motivator

These are great news! What's the concept of the Recommended Fields? will correlated searches and ootb ES dashboards work when the datamodel have values just for the Recommended Fields?

0 Karma

Splunk Employee
Splunk Employee

Motivator

That's great but I hit memory limits and only three recommended fields show. Is there a way to query against one datamodel?

alt text

0 Karma

Splunk Employee
Splunk Employee

What if you change the /services/data/models to the one you want, such as:
/services/data/models/Alerts

Motivator

That works!!!

0 Karma

Splunk Employee
Splunk Employee

Thanks for the feedback! I'll add that nugget to the docs 🙂

Motivator

Thank you @lkutch_splunk

0 Karma

Motivator

Btw, the json refers to a required field attribute which is false throughout. Is it a placeholder field?

0 Karma

Splunk Employee
Splunk Employee

If you only want to see the true ones, you can add "search recommended=True" toward the end of the search:

... | search recommended=True | table model,object_name,field_name | sort model,object_name,field_name

Motivator

Right, my question is about the concept of required fields that we see in the json document.

0 Karma