Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to Validate Datamodel

Arpmjdr
Explorer
‎11-12-2019 09:41 PM

Hi Friends,

I am using SPLUNK ES 5.3.1 version.I am trying to validate the existing datamodels(Total 32 including cim validation s.o.s) and finding answers for the points mentioned below:

  1. Whether the DMs are updating properly
  2. whether they contain information that is need to populate the data tables
  3. whether the data sources ingested to splunk are correct and parsed to be consumed by DMs.

Could you please help me how I shall be able to do this? TIA

0 Karma
Reply

aholzel
Communicator
‎11-13-2019 02:31 AM

if you are interested in the DM % complete over time you can create a search to get that data from the REST API endpoint and store it in a lookup I have done it like this:

Search to get the info from the API endpoint (runs every 5 min):

| rest /services/admin/summarization by_tstats=t splunk_server=local count=0
| eval datamodel=replace('summary.id',"DM_",""), datamodel=replace(datamodel,'eai:acl.app'."_",'eai:acl.app'."/"), _time=now(), complete='summary.complete'*100
| table _time datamodel complete
| outputlookup dm_complete_info.csv append=t

Search to cleanup data older than 14 days from the lookup table (runs every day at midnight):

| inputlookup dm_complete_info.csv
| eval oldest=now()-(14*86400)
| where _time>oldest
| table _time datamodel complete
| outputlookup dm_complete_info.csv

Search to make a graph of the data:

| inputlookup dm_complete_info.csv
| where _time>now()-(86400*7)
| chart values(complete) AS complete over _time by datamodel useother=f usenull=f limit=0
0 Karma
Reply

ralam
Explorer
‎11-12-2019 10:39 PM

Hello @Arpmjdr ,

One such app in Splunk to validate the Datemodel may be "Insight Analyzer" https://splunkbase.splunk.com/app/4618/.

Its DataModel Coverage section would give you immense information on the coverage of each Datamodels that you have.alt text

Regards,
Rehan

Preview file
212 KB
0 Karma
Reply

Arpmjdr
Explorer
‎11-13-2019 02:18 AM

Thanks Rehan ! Does SA-cim_Validator also work similar to it ?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...