Splunk Enterprise Security

Splunk Add-on for Windows - DNS No Mapped to CIM


i have installed the Splunk Add-on for Windows app to monitor DNS logs using the Debugging enabled option on my server.
i am seeing the events ingesting with the proper source type of MSAD:NT6:DNS but they are not tagged as DNS (only with Success and Failure tags)
also under the Tags Tab im not seeing that in the app there is DNS tag option for that app neither under the Sourcetype Tab
it means that the app does not map this source type to the data model.
the app is documented that it supports CIM
please explain

Labels (1)


I'd would have liked to provided you an answer but I am also having this issue. Did you find a solution?

0 Karma


I'm running across the same basic thing.

I have sourcetype="MSAD:NT6:DNS" and the fields are parsing correctly.

However, 'Network Resolution' Data Model is looking for 3 tags:


And the only thing that is tagging is 'success'.

Is there a param needed in the inputs.conf to get these tags working?

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...