- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: How to list data models and verify they are fu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks in advance for your time and assistance.
Can someone please tell me how to generate a list of configured, properly functioning Data Models that support Splunk Enterprise Security correlation searches?
There are more data models listed in Settings --> Data Models than when I perform a '| datamodel' search, such as the one pointed to here: list all datamodels with the feeds (index, sourcet... - Splunk Community.
I just want to nail down a method for ensuring that the data models configured within correlation searches are configured - AND are operating as intended.
Again, thank you.
Sven
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Sven1, To list down all the correlation searches from all Data Models, can you please try below search -
| rest /servicesNS/-/-/saved/searches splunk_server=local
| where disabled=0
| search search="*datamodel*"
| rex field=search max_match=0 "from\ datamodel(\ |\=\"|\=|\:\"|\=)(?P<datamodel_Name>[a-zA-Z0-9\_]+)"
| table datamodel_Name, title, qualifiedSearch, search, updated, "eai:acl.owner", author, "eai:aal.app"
| mvexpand datamodel_Name
| stats values(title) by datamodel_Name
| fields - count
Above search will give you near-accurate results.
Please accept the solution if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Sven1, To list down all the correlation searches from all Data Models, can you please try below search -
| rest /servicesNS/-/-/saved/searches splunk_server=local
| where disabled=0
| search search="*datamodel*"
| rex field=search max_match=0 "from\ datamodel(\ |\=\"|\=|\:\"|\=)(?P<datamodel_Name>[a-zA-Z0-9\_]+)"
| table datamodel_Name, title, qualifiedSearch, search, updated, "eai:acl.owner", author, "eai:aal.app"
| mvexpand datamodel_Name
| stats values(title) by datamodel_Name
| fields - count
Above search will give you near-accurate results.
Please accept the solution if this helps!
Enterprise Security Content Update (ESCU) | New Releases
Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest
We’ve Got Education Validation!
