Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Eval command with check on sourcetype does not work with Data Model

SIEMStudent
Path Finder
‎07-05-2022 02:25 AM

Hi Splunkers,

I have an issue with the use of Data Model, eval command and sourcetype as filter. Let me explain better.

Customer asked us to modify the field 

action

on Data Model Email: if the sourcetype is a particular one, let's say xxx, action must be equal to another field called 

final_action

Otherwise, the normal behaivor is fine.

Now, in the Email Data Model the field action is a calculated one with the following eval expression:

if(isnull(action) OR action="","unknown",action)

So, I thought to simply modify it in a case expression, adding the check on the sourcetype; based on this, I tested the following search:

| from datamodel:"Email" 
| eval action = case(isnull(action) OR action="","unknown", sourcetype="xxx", final_action, 1=1, action) 
| stats count values(action) as action by sourcetype

 But it does not works; I mean, the field action is correctly filled for all other sourcetypes we have, but the action output field, for sourcetype xxx is empty.

My first doubt was: does the problem exists because I used different fields in case function, not equal between them? So I used this search:

| from datamodel:"Email" 
| eval action = if(isnull(action) OR action="","unknown", action) 
| eval action = if(sourcetype="xxx", final_action, action) 
| stats count values(action) as action by sourcetype

But the action output for sourcetype xxx is still empty.

I'm sure that the field is correct and populated because if I use a search without datamodel, comparing 2 different sourcetype we have for mails, the search work fine. For example, if I use:

index=* sourcetype IN (xxx, yyy) 
| eval action=if(sourcetype="xxx", final_action, action) 
| stats count values(action) as action by sourcetype

The outoput is the desiderd one: the action field for yyy is the already exiting one, while for xxx is overwritten with final_action values.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-05-2022 11:21 AM

Try to avoid modifying data models.  Once modified, the customer is stuck maintaining the DM when new changes are released by Splunk.

A better practice is to modify (or create) the appropriate TA to set the action field based on sourcetype.  Then let the DM continue with its existing logic.  For example, the TA's props.conf file might contain

[xxx]
EVAL-action = final_action
---
If this reply helps you, Karma would be appreciated.
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...