Splunk Enterprise Security

How to Validate Datamodel

Arpmjdr
Explorer

Hi Friends,

I am using SPLUNK ES 5.3.1 version.I am trying to validate the existing datamodels(Total 32 including cim validation s.o.s) and finding answers for the points mentioned below:

  1. Whether the DMs are updating properly
  2. whether they contain information that is need to populate the data tables
  3. whether the data sources ingested to splunk are correct and parsed to be consumed by DMs.

Could you please help me how I shall be able to do this? TIA

0 Karma

aholzel
Communicator

if you are interested in the DM % complete over time you can create a search to get that data from the REST API endpoint and store it in a lookup I have done it like this:

Search to get the info from the API endpoint (runs every 5 min):

| rest /services/admin/summarization by_tstats=t splunk_server=local count=0
| eval datamodel=replace('summary.id',"DM_",""), datamodel=replace(datamodel,'eai:acl.app'."_",'eai:acl.app'."/"), _time=now(), complete='summary.complete'*100
| table _time datamodel complete
| outputlookup dm_complete_info.csv append=t

Search to cleanup data older than 14 days from the lookup table (runs every day at midnight):

| inputlookup dm_complete_info.csv
| eval oldest=now()-(14*86400)
| where _time>oldest
| table _time datamodel complete
| outputlookup dm_complete_info.csv

Search to make a graph of the data:

| inputlookup dm_complete_info.csv
| where _time>now()-(86400*7)
| chart values(complete) AS complete over _time by datamodel useother=f usenull=f limit=0
0 Karma

ralam
Loves-to-Learn

Hello @Arpmjdr ,

One such app in Splunk to validate the Datemodel may be "Insight Analyzer" https://splunkbase.splunk.com/app/4618/.

Its DataModel Coverage section would give you immense information on the coverage of each Datamodels that you have.alt text

Regards,
Rehan

0 Karma

Arpmjdr
Explorer

Thanks Rehan ! Does SA-cim_Validator also work similar to it ?

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...