Splunk Enterprise Security

Eval command with check on sourcetype does not work with Data Model

SIEMStudent
Path Finder

Hi Splunkers,

I have an issue with the use of Data Model, eval command and sourcetype as filter. Let me explain better.

Customer asked us to modify the field 

action

on Data Model Email: if the sourcetype is a particular one, let's say xxx, action must be equal to another field called 

final_action

Otherwise, the normal behaivor is fine.

Now, in the Email Data Model the field action is a calculated one with the following eval expression:

if(isnull(action) OR action="","unknown",action)

So, I thought to simply modify it in a case expression, adding the check on the sourcetype; based on this, I tested the following search:

| from datamodel:"Email" 
| eval action = case(isnull(action) OR action="","unknown", sourcetype="xxx", final_action, 1=1, action) 
| stats count values(action) as action by sourcetype

 But it does not works; I mean, the field action is correctly filled for all other sourcetypes we have, but the action output field, for sourcetype xxx is empty.

My first doubt was: does the problem exists because I used different fields in case function, not equal between them? So I used this search:

| from datamodel:"Email" 
| eval action = if(isnull(action) OR action="","unknown", action) 
| eval action = if(sourcetype="xxx", final_action, action) 
| stats count values(action) as action by sourcetype

But the action output for sourcetype xxx is still empty.

I'm sure that the field is correct and populated because if I use a search without datamodel, comparing 2 different sourcetype we have for mails, the search work fine. For example, if I use:

index=* sourcetype IN (xxx, yyy) 
| eval action=if(sourcetype="xxx", final_action, action) 
| stats count values(action) as action by sourcetype

The outoput is the desiderd one: the action field for yyy is the already exiting one, while for xxx is overwritten with final_action values.

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try to avoid modifying data models.  Once modified, the customer is stuck maintaining the DM when new changes are released by Splunk.

A better practice is to modify (or create) the appropriate TA to set the action field based on sourcetype.  Then let the DM continue with its existing logic.  For example, the TA's props.conf file might contain

[xxx]
EVAL-action = final_action
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...