Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Validate Datamodel

Arpmjdr
Explorer
‎11-12-2019 09:41 PM

Hi Friends,

I am using SPLUNK ES 5.3.1 version.I am trying to validate the existing datamodels(Total 32 including cim validation s.o.s) and finding answers for the points mentioned below:

  1. Whether the DMs are updating properly
  2. whether they contain information that is need to populate the data tables
  3. whether the data sources ingested to splunk are correct and parsed to be consumed by DMs.

Could you please help me how I shall be able to do this? TIA

0 Karma
Reply

aholzel
Communicator
‎11-13-2019 02:31 AM

if you are interested in the DM % complete over time you can create a search to get that data from the REST API endpoint and store it in a lookup I have done it like this:

Search to get the info from the API endpoint (runs every 5 min):

| rest /services/admin/summarization by_tstats=t splunk_server=local count=0
| eval datamodel=replace('summary.id',"DM_",""), datamodel=replace(datamodel,'eai:acl.app'."_",'eai:acl.app'."/"), _time=now(), complete='summary.complete'*100
| table _time datamodel complete
| outputlookup dm_complete_info.csv append=t

Search to cleanup data older than 14 days from the lookup table (runs every day at midnight):

| inputlookup dm_complete_info.csv
| eval oldest=now()-(14*86400)
| where _time>oldest
| table _time datamodel complete
| outputlookup dm_complete_info.csv

Search to make a graph of the data:

| inputlookup dm_complete_info.csv
| where _time>now()-(86400*7)
| chart values(complete) AS complete over _time by datamodel useother=f usenull=f limit=0
0 Karma
Reply

ralam
Explorer
‎11-12-2019 10:39 PM

Hello @Arpmjdr ,

One such app in Splunk to validate the Datemodel may be "Insight Analyzer" https://splunkbase.splunk.com/app/4618/.

Its DataModel Coverage section would give you immense information on the coverage of each Datamodels that you have.alt text

Regards,
Rehan

Preview file
212 KB
0 Karma
Reply

Arpmjdr
Explorer
‎11-13-2019 02:18 AM

Thanks Rehan ! Does SA-cim_Validator also work similar to it ?

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...