Splunk Enterprise Security

How to list data models and verify they are functioning properly?

Sven1
Path Finder

Thanks in advance for your time and assistance. 

Can someone please tell me how to generate a list of configured, properly functioning Data Models that support Splunk Enterprise Security correlation searches? 

There are more data models listed in Settings --> Data Models than when I perform a '| datamodel' search, such as the one pointed to here: list all datamodels with the feeds (index, sourcet... - Splunk Community.

I just want to nail down a method for ensuring that the data models configured within correlation searches are configured - AND are operating as intended. 

Again, thank you.

Sven

   

 

 

Labels (1)
0 Karma
1 Solution

meetmshah
SplunkTrust
SplunkTrust

Hello @Sven1, To list down all the correlation searches from all Data Models, can you please try below search - 

| rest /servicesNS/-/-/saved/searches splunk_server=local 
| where disabled=0
| search search="*datamodel*" 
| rex field=search max_match=0 "from\ datamodel(\ |\=\"|\=|\:\"|\=)(?P<datamodel_Name>[a-zA-Z0-9\_]+)" 
| table datamodel_Name, title, qualifiedSearch, search, updated, "eai:acl.owner", author, "eai:aal.app" 
| mvexpand datamodel_Name 
| stats values(title) by datamodel_Name
| fields - count

 

Above search will give you near-accurate results.

 

Please accept the solution if this helps!

View solution in original post

meetmshah
SplunkTrust
SplunkTrust

Hello @Sven1, To list down all the correlation searches from all Data Models, can you please try below search - 

| rest /servicesNS/-/-/saved/searches splunk_server=local 
| where disabled=0
| search search="*datamodel*" 
| rex field=search max_match=0 "from\ datamodel(\ |\=\"|\=|\:\"|\=)(?P<datamodel_Name>[a-zA-Z0-9\_]+)" 
| table datamodel_Name, title, qualifiedSearch, search, updated, "eai:acl.owner", author, "eai:aal.app" 
| mvexpand datamodel_Name 
| stats values(title) by datamodel_Name
| fields - count

 

Above search will give you near-accurate results.

 

Please accept the solution if this helps!

First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...