I am using Splunk ES and trying to match my IDS logs to the Intrusion Detection data model. I thought I did all preparatory steps required but when clicking in the ES app Search > Datasets > Intrusion Detection > IDS Attacks > Summarize Fields nearly all the of the fields are listed as "null or empty" and the few that are populated contain "unknown" in them.
Here is what I have done so far:
Created event type search to identify the logs and tag them as "ids" and "attack" per CIM docs (shared globally)
Created field aliases (shared globally) as most of my existing logs are named something other than the expected datamodel field name
3. Validating the data per step 6A
4. End result mostly null or unknown