EnterpriseSecurity - DataModels

astatrial · ‎09-02-2020

Hi everyone,

Introduction:

We have Palo Alto products, and we have also installed the appropriate add-on and apps. We mapped the data into the data models and the relevant data model for my question is the Web data model .

There is a field called dest in the DM, and for datamodel web (for palo alto) i need its value to be "dest_hostname" (the current value is "dest_ip"). The current value is relevant for the Network Traffic DM, therefore i don't want to change it.

Question:

Is it OK to add additional fields to the built-in data models of Splunk ES, or is it not recommended?

What are the downsides of action like this?

Thanks !

richgalloway · ‎09-02-2020

Don't add fields to a DM unless absolutely necessary. In your case, you should be able to add the dest field by creating a new field alias that maps dest_ip to dest.

---
If this reply helps you, Karma would be appreciated.

astatrial · ‎09-03-2020

Hi @richgalloway ,

Thanks for the fast reply.

It is a bit problematic, as there is already a mapping from dest_ip to dest which is relevant for the "Network Traffic" data model. I need the dest in Web data model to contain values from dest_hostname and not dest IP (for palo alto).

EnterpriseSecurity - DataModels

using Enterprise Security

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!