Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create Identity information on a datamodel search?

XavG_KS
Loves-to-Learn
‎08-08-2023 12:15 AM

Hi,

I just notice a strange behavior in Splunk Identity management and the datamodel. 

Indeed, if I make a search based on "index + sourcetype", my results include all identity information when the user is known.

XavG_KS_0-1691478641933.png

 

But when I execute the same search based on the datamodel (Web in my example), I only have the information that are specifically mention in the data model

XavG_KS_1-1691478771348.png

 

XavG_KS_2-1691478782921.png

 

I don't understand that behavior .. the goals of Splunk ES is to use the DM as much as we can't but we lose information...

 

What am I missing ? 

How can I retrieve all the Identity (and Asset) information with a datamodel search ? 

 

Thanks in advance

Xavier

 

Labels (2)
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-08-2023 06:07 AM

What you've experienced is normal.  A data model can display only what is in the DM, just like a index search can display only what is in the index.

Combining data from a DM and an index (or multiple DMs or indexes) is called a correlation and is one of Splunk's reasons for being.  Use the Web.user field to pull identity information.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

XavG_KS
Loves-to-Learn
‎08-22-2023 01:56 AM

Hi, 

Thanks for the feedback. 

Ok I get it but can you tell me "HOW" do I pull identity information from the Web.user field ? 

 

Because one thing I don't understand is when you say "index search can display only what is in the index", it's wrong as in my example the search is index based BUT it also display user information FROM the asset & identity framework.  Proof is in the log (so in the index) there is no information like managedBy, company, ...

The user's information integration is done automatically by the framework I supposed.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-22-2023 05:30 AM

In your example, data from the index is supplemented by data from lookup files.  You can do the same with data from a data model.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...