Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Setting alias for multivalued field for ES/CIM compliance

jwalzerpitt
Influencer
‎05-03-2019 04:31 AM

I created an alias for the X_MS_Forwarded_Client_IP (ADFS events) to equal to src. The X_MS_Forwarded_Client_IP is a multivalue field which leads me to a few questions:

1) We are running ES so do I need to do anything further to ensure that the new src field for the ADFS logs is included in the data model and CIM compliant? The app I created the initial alias was under Search & Reporting (search). Should this alias be under a different app, or does creating an alias and setting permission to all apps satisfy that requirement?

2) Do I need to make any additional config changes due to the field being multivalued? Right now for searches, I add | makemv delim="," src at the end to break them out. I worry with ES data models/CIM so additional configuration might need to be made to break them out automatically

Thx

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lakshman239
SplunkTrust
SplunkTrust
‎05-03-2019 08:32 AM

If your sourcetype/index is already included in the datamodel for your use cases, it will automatically pick the 'src' field as per the datamodel. If you don't want the values to be MV, you can convert to single values using fields.conf - TOKENIZER.

Its generally a good practice to have your changes in a custom app or one of the existing app and not in search and reporting. If you want your knowledge objects to be visible for other apps, yes, it should be global permission. [ you can also put all your changes in an app and setup export].

View solution in original post

Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎05-06-2019 10:00 AM

Thx for the reply and information - greatly appreciated

0 Karma
Reply
Solved! Jump to solution
Solution

lakshman239
SplunkTrust
SplunkTrust
‎05-03-2019 08:32 AM

If your sourcetype/index is already included in the datamodel for your use cases, it will automatically pick the 'src' field as per the datamodel. If you don't want the values to be MV, you can convert to single values using fields.conf - TOKENIZER.

Its generally a good practice to have your changes in a custom app or one of the existing app and not in search and reporting. If you want your knowledge objects to be visible for other apps, yes, it should be global permission. [ you can also put all your changes in an app and setup export].

Reply
Get Updates on the Splunk Community!

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

The Great Resilience Quest: 9th Leaderboard Update

The ninth leaderboard update (11.9-11.22) for The Great Resilience Quest is out >> Kudos to all the ...