- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- How to list data models and verify they are functi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks in advance for your time and assistance.
Can someone please tell me how to generate a list of configured, properly functioning Data Models that support Splunk Enterprise Security correlation searches?
There are more data models listed in Settings --> Data Models than when I perform a '| datamodel' search, such as the one pointed to here: list all datamodels with the feeds (index, sourcet... - Splunk Community.
I just want to nail down a method for ensuring that the data models configured within correlation searches are configured - AND are operating as intended.
Again, thank you.
Sven
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Sven1, To list down all the correlation searches from all Data Models, can you please try below search -
| rest /servicesNS/-/-/saved/searches splunk_server=local
| where disabled=0
| search search="*datamodel*"
| rex field=search max_match=0 "from\ datamodel(\ |\=\"|\=|\:\"|\=)(?P<datamodel_Name>[a-zA-Z0-9\_]+)"
| table datamodel_Name, title, qualifiedSearch, search, updated, "eai:acl.owner", author, "eai:aal.app"
| mvexpand datamodel_Name
| stats values(title) by datamodel_Name
| fields - count
Above search will give you near-accurate results.
Please accept the solution if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Sven1, To list down all the correlation searches from all Data Models, can you please try below search -
| rest /servicesNS/-/-/saved/searches splunk_server=local
| where disabled=0
| search search="*datamodel*"
| rex field=search max_match=0 "from\ datamodel(\ |\=\"|\=|\:\"|\=)(?P<datamodel_Name>[a-zA-Z0-9\_]+)"
| table datamodel_Name, title, qualifiedSearch, search, updated, "eai:acl.owner", author, "eai:aal.app"
| mvexpand datamodel_Name
| stats values(title) by datamodel_Name
| fields - count
Above search will give you near-accurate results.
Please accept the solution if this helps!
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
