Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Validate Datamodel

Arpmjdr
Explorer
‎11-12-2019 09:41 PM

Hi Friends,

I am using SPLUNK ES 5.3.1 version.I am trying to validate the existing datamodels(Total 32 including cim validation s.o.s) and finding answers for the points mentioned below:

  1. Whether the DMs are updating properly
  2. whether they contain information that is need to populate the data tables
  3. whether the data sources ingested to splunk are correct and parsed to be consumed by DMs.

Could you please help me how I shall be able to do this? TIA

0 Karma
Reply

aholzel
Communicator
‎11-13-2019 02:31 AM

if you are interested in the DM % complete over time you can create a search to get that data from the REST API endpoint and store it in a lookup I have done it like this:

Search to get the info from the API endpoint (runs every 5 min):

| rest /services/admin/summarization by_tstats=t splunk_server=local count=0
| eval datamodel=replace('summary.id',"DM_",""), datamodel=replace(datamodel,'eai:acl.app'."_",'eai:acl.app'."/"), _time=now(), complete='summary.complete'*100
| table _time datamodel complete
| outputlookup dm_complete_info.csv append=t

Search to cleanup data older than 14 days from the lookup table (runs every day at midnight):

| inputlookup dm_complete_info.csv
| eval oldest=now()-(14*86400)
| where _time>oldest
| table _time datamodel complete
| outputlookup dm_complete_info.csv

Search to make a graph of the data:

| inputlookup dm_complete_info.csv
| where _time>now()-(86400*7)
| chart values(complete) AS complete over _time by datamodel useother=f usenull=f limit=0
0 Karma
Reply

ralam
Loves-to-Learn
‎11-12-2019 10:39 PM

Hello @Arpmjdr ,

One such app in Splunk to validate the Datemodel may be "Insight Analyzer" https://splunkbase.splunk.com/app/4618/.

Its DataModel Coverage section would give you immense information on the coverage of each Datamodels that you have.alt text

Regards,
Rehan

Preview file
1 KB
0 Karma
Reply

Arpmjdr
Explorer
‎11-13-2019 02:18 AM

Thanks Rehan ! Does SA-cim_Validator also work similar to it ?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...