Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find out which data model a particular app maps to?

tmkunte
Engager
‎06-09-2016 07:25 AM

How do I find out which data model a particular app "maps" to?

Specifically the Cisco security suite ...

I see it is CIM compatible and need to get that data into my SIEM

Labels (1)
Labels
0 Karma
Reply

nvonkorff
Path Finder
‎02-08-2022 07:24 PM

Hi @tmkunte 

I recently wrote an app (Data model wrangler) that helps with identifying indexes and sourcetypes that are mapped to data models and calculates two scores to determine an overall health-check of mapping:

  • Mapping quality - Percent of recommended fields in the data model that are found in each index/sourcetype
  • Data quality - Percent coverage of each field within the data, e.g. 25% of events have the 'src' field present

It also provides a field-level view of mapped data to determine which fields are present/missing and which fields have a low data quality.

This may help to give a better understanding of what is mapped to each data model. It is also useful when trying to map custom sourcetypes to data models.

0 Karma
Reply

ryanoconnor
Builder
‎06-09-2016 08:33 AM

The Cisco Security Suite App https://splunkbase.splunk.com/app/525/ searches data from a number of different cisco devices. Many of those devices have their own individual Technology Add-ons.

Those specific technology add-ons are what you're going to want to look at. They will have tags that determine which data model the data is going to go into. The Splunk Add-on for Cisco ASA is a great example. https://splunkbase.splunk.com/app/1620/

For more information on which tags go to which data models you can look at specific data models here: http://docs.splunk.com/Documentation/CIM/latest/User/Overview

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...