Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Eval command with check on sourcetype does not work with Data Model

SIEMStudent
Path Finder
‎07-05-2022 02:25 AM

Hi Splunkers,

I have an issue with the use of Data Model, eval command and sourcetype as filter. Let me explain better.

Customer asked us to modify the field 

action

on Data Model Email: if the sourcetype is a particular one, let's say xxx, action must be equal to another field called 

final_action

Otherwise, the normal behaivor is fine.

Now, in the Email Data Model the field action is a calculated one with the following eval expression:

if(isnull(action) OR action="","unknown",action)

So, I thought to simply modify it in a case expression, adding the check on the sourcetype; based on this, I tested the following search:

| from datamodel:"Email" 
| eval action = case(isnull(action) OR action="","unknown", sourcetype="xxx", final_action, 1=1, action) 
| stats count values(action) as action by sourcetype

 But it does not works; I mean, the field action is correctly filled for all other sourcetypes we have, but the action output field, for sourcetype xxx is empty.

My first doubt was: does the problem exists because I used different fields in case function, not equal between them? So I used this search:

| from datamodel:"Email" 
| eval action = if(isnull(action) OR action="","unknown", action) 
| eval action = if(sourcetype="xxx", final_action, action) 
| stats count values(action) as action by sourcetype

But the action output for sourcetype xxx is still empty.

I'm sure that the field is correct and populated because if I use a search without datamodel, comparing 2 different sourcetype we have for mails, the search work fine. For example, if I use:

index=* sourcetype IN (xxx, yyy) 
| eval action=if(sourcetype="xxx", final_action, action) 
| stats count values(action) as action by sourcetype

The outoput is the desiderd one: the action field for yyy is the already exiting one, while for xxx is overwritten with final_action values.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-05-2022 11:21 AM

Try to avoid modifying data models.  Once modified, the customer is stuck maintaining the DM when new changes are released by Splunk.

A better practice is to modify (or create) the appropriate TA to set the action field based on sourcetype.  Then let the DM continue with its existing logic.  For example, the TA's props.conf file might contain

[xxx]
EVAL-action = final_action
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...