Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create Identity information on a datamodel search?

XavG_KS
Loves-to-Learn
‎08-08-2023 12:15 AM

Hi,

I just notice a strange behavior in Splunk Identity management and the datamodel. 

Indeed, if I make a search based on "index + sourcetype", my results include all identity information when the user is known.

XavG_KS_0-1691478641933.png

 

But when I execute the same search based on the datamodel (Web in my example), I only have the information that are specifically mention in the data model

XavG_KS_1-1691478771348.png

 

XavG_KS_2-1691478782921.png

 

I don't understand that behavior .. the goals of Splunk ES is to use the DM as much as we can't but we lose information...

 

What am I missing ? 

How can I retrieve all the Identity (and Asset) information with a datamodel search ? 

 

Thanks in advance

Xavier

 

Labels (2)
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-08-2023 06:07 AM

What you've experienced is normal.  A data model can display only what is in the DM, just like a index search can display only what is in the index.

Combining data from a DM and an index (or multiple DMs or indexes) is called a correlation and is one of Splunk's reasons for being.  Use the Web.user field to pull identity information.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

XavG_KS
Loves-to-Learn
‎08-22-2023 01:56 AM

Hi, 

Thanks for the feedback. 

Ok I get it but can you tell me "HOW" do I pull identity information from the Web.user field ? 

 

Because one thing I don't understand is when you say "index search can display only what is in the index", it's wrong as in my example the search is index based BUT it also display user information FROM the asset & identity framework.  Proof is in the log (so in the index) there is no information like managedBy, company, ...

The user's information integration is done automatically by the framework I supposed.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-22-2023 05:30 AM

In your example, data from the index is supplemented by data from lookup files.  You can do the same with data from a data model.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...