Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

event code 39

splunk_user9968
New Member
‎08-27-2024 03:58 AM

I would like to create a search with data models where my event id is 39. However, there is no datamodel that fulfills my criteria. Is there anyone kn

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-27-2024 04:08 AM

There is no datamodel for this because datamodels abstract the event's conceptual side from the actual implementation. That's why your "event id being 39" is not a good condition for a CIM datamodel.

You can of course build your own datamodel but the question is what would you want to achieve with it. If you just want to find all events with this event id you can do so using normal event search (with some possible acceleration techniques).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...