Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

EnterpriseSecurity - DataModels

astatrial
Contributor
‎09-02-2020 07:14 AM

Hi everyone,

Introduction:

We have Palo Alto products, and we have also installed the appropriate add-on and apps. We mapped the data into the data models and the relevant data model for my question is the Web data model .

There is a field called dest in the DM, and for datamodel web (for palo alto) i need its value to be "dest_hostname" (the current value is "dest_ip"). The current value is relevant for the Network Traffic DM, therefore i don't want to change it. 

Question: 

Is it OK to add additional fields to the built-in data models of Splunk ES, or is it not recommended? 

What are the downsides of action like this? 

 

Thanks ! 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-02-2020 08:24 AM

Don't add fields to a DM unless absolutely necessary.  In your case, you should be able to add the dest field by creating a new field alias that maps dest_ip to dest.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

astatrial
Contributor
‎09-03-2020 12:20 AM

Hi @richgalloway ,

Thanks for the fast reply.

It is a bit problematic, as there is already a mapping from dest_ip to dest which is relevant for the "Network Traffic" data model. I need  the dest in Web data model to contain values from dest_hostname and not dest IP (for palo alto).

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...