Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Query on Data models

xoriantkbisht
Explorer
‎01-26-2020 06:11 AM

HI Team,
I have query regarding Data models base search

| multisearch [| from datamodel:Endpoint.Filesystem | search tag="change" ] [| from datamodel:Endpoint.Registry | search tag="change" ] [| from datamodel:Change.Endpoint_Changes | search ] | head 100

Above is the query for "Recent Endpoint Changes" in Endpoint Changes Dashboard (Splunk Enterprise Security (Endpoint Security Domain))

Now query refers to Endpoint.Filesystem data model. This data model includes cim_Endpoint_indexes macros which refers to index=crowstrike in my environment and 2 tags as tag=filesystem and tag=endpoint. These tags are filled with eventtypes where sourcetypes are specified. Now one of the eventtype refers to sourcetype as aws:cloudtrail.

And whatever result i am getting for above query is related to aws:cloudtrail only.

Now my understanding is when you are referring to data model in your query then it should gives you results from specified index and in this case index=crowdstrike sourcetype=aws:cloudtrail is invalid but still above search is populating results in dashboard

In short data models base search is not fulfilling the specified fields but still results are getting populated

Could you please correct my understandings.

0 Karma
Reply

codebuilder
Influencer
‎02-07-2020 10:20 AM

Datamodels can contain data from multiple indexes. They're not restricted to a single index or sourcetype.

You can easily find all the indexes and sourcetypes associated with a given datamodel with the following:

| tstats count from datamodel=your_datamodel_name by index, sourcetype
----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...