Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Validate Datamodel

Arpmjdr
Explorer
‎11-12-2019 09:41 PM

Hi Friends,

I am using SPLUNK ES 5.3.1 version.I am trying to validate the existing datamodels(Total 32 including cim validation s.o.s) and finding answers for the points mentioned below:

  1. Whether the DMs are updating properly
  2. whether they contain information that is need to populate the data tables
  3. whether the data sources ingested to splunk are correct and parsed to be consumed by DMs.

Could you please help me how I shall be able to do this? TIA

0 Karma
Reply

aholzel
Communicator
‎11-13-2019 02:31 AM

if you are interested in the DM % complete over time you can create a search to get that data from the REST API endpoint and store it in a lookup I have done it like this:

Search to get the info from the API endpoint (runs every 5 min):

| rest /services/admin/summarization by_tstats=t splunk_server=local count=0
| eval datamodel=replace('summary.id',"DM_",""), datamodel=replace(datamodel,'eai:acl.app'."_",'eai:acl.app'."/"), _time=now(), complete='summary.complete'*100
| table _time datamodel complete
| outputlookup dm_complete_info.csv append=t

Search to cleanup data older than 14 days from the lookup table (runs every day at midnight):

| inputlookup dm_complete_info.csv
| eval oldest=now()-(14*86400)
| where _time>oldest
| table _time datamodel complete
| outputlookup dm_complete_info.csv

Search to make a graph of the data:

| inputlookup dm_complete_info.csv
| where _time>now()-(86400*7)
| chart values(complete) AS complete over _time by datamodel useother=f usenull=f limit=0
0 Karma
Reply

ralam
Explorer
‎11-12-2019 10:39 PM

Hello @Arpmjdr ,

One such app in Splunk to validate the Datemodel may be "Insight Analyzer" https://splunkbase.splunk.com/app/4618/.

Its DataModel Coverage section would give you immense information on the coverage of each Datamodels that you have.alt text

Regards,
Rehan

Preview file
212 KB
0 Karma
Reply

Arpmjdr
Explorer
‎11-13-2019 02:18 AM

Thanks Rehan ! Does SA-cim_Validator also work similar to it ?

0 Karma
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...