Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find out which data model a particular app maps to?

tmkunte
Engager
‎06-09-2016 07:25 AM

How do I find out which data model a particular app "maps" to?

Specifically the Cisco security suite ...

I see it is CIM compatible and need to get that data into my SIEM

Labels (1)
Labels
0 Karma
Reply

nvonkorff
Path Finder
‎02-08-2022 07:24 PM

Hi @tmkunte 

I recently wrote an app (Data model wrangler) that helps with identifying indexes and sourcetypes that are mapped to data models and calculates two scores to determine an overall health-check of mapping:

  • Mapping quality - Percent of recommended fields in the data model that are found in each index/sourcetype
  • Data quality - Percent coverage of each field within the data, e.g. 25% of events have the 'src' field present

It also provides a field-level view of mapped data to determine which fields are present/missing and which fields have a low data quality.

This may help to give a better understanding of what is mapped to each data model. It is also useful when trying to map custom sourcetypes to data models.

0 Karma
Reply

ryanoconnor
Builder
‎06-09-2016 08:33 AM

The Cisco Security Suite App https://splunkbase.splunk.com/app/525/ searches data from a number of different cisco devices. Many of those devices have their own individual Technology Add-ons.

Those specific technology add-ons are what you're going to want to look at. They will have tags that determine which data model the data is going to go into. The Splunk Add-on for Cisco ASA is a great example. https://splunkbase.splunk.com/app/1620/

For more information on which tags go to which data models you can look at specific data models here: http://docs.splunk.com/Documentation/CIM/latest/User/Overview

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...