Hello all,
I am trying to get some DNS data into my Network Resolution (DNS) datamodel.
I currently ingest DNS data via the Splunk Stream app which goes into an index called wn_dns_stream.
I have my CIM app white list this index for the Network Resolution (DNS) datamodel.
I have created an event type called dns_stream that is applied to all data with the dns:stream sourcetype.
I also have a tag called dns that gets applied to anything with the eventtype=dns_stream.
In the datamodel settings I can see that Network Resolution looks for the following:
(cim_Network_Resolution_indexes
) tag=network tag=resolution tag=dns
When i search for 'cim_Network_Resolution_indexes' I get my wn_dns_stream index with all of its data. In this index I can see my event type and tag that I created.
I then ran this search:
| datamodel "Network_Resolution" summariesonly=true search | timechart span=1h count
this returns nothing even though searching for 'cim_Network_Resolution_indexes' tag=dns returns 300,000 events for the same time period.
Also, I have confirmed with this document that I have the appropriate fields for this data model:
https://docs.splunk.com/Documentation/CIM/4.14.0/User/NetworkResolutionDNS
Does anyone know why my data model doesn't seem to see any data?
I have the same issue and I didn't managed to fix it for the moment.
I will post the Splunk support answer as nobody provide answers on this forum...