Splunk Enterprise Security

Network Resolution (DNS) data model doesn't have any data in it

Tylerdygert
Path Finder

Hello all,

I am trying to get some DNS data into my Network Resolution (DNS) datamodel.

I currently ingest DNS data via the Splunk Stream app which goes into an index called wn_dns_stream.
I have my CIM app white list this index for the Network Resolution (DNS) datamodel.
I have created an event type called dns_stream that is applied to all data with the dns:stream sourcetype.
I also have a tag called dns that gets applied to anything with the eventtype=dns_stream.

In the datamodel settings I can see that Network Resolution looks for the following:
(cim_Network_Resolution_indexes) tag=network tag=resolution tag=dns

When i search for 'cim_Network_Resolution_indexes' I get my wn_dns_stream index with all of its data. In this index I can see my event type and tag that I created.

I then ran this search:
| datamodel "Network_Resolution" summariesonly=true search | timechart span=1h count

this returns nothing even though searching for 'cim_Network_Resolution_indexes' tag=dns returns 300,000 events for the same time period.

Also, I have confirmed with this document that I have the appropriate fields for this data model:
https://docs.splunk.com/Documentation/CIM/4.14.0/User/NetworkResolutionDNS

Does anyone know why my data model doesn't seem to see any data?

tme_cgi
Engager

I have the same issue and I didn't managed to fix it for the moment.

I will post the Splunk support answer as nobody provide answers on this forum...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...