Splunk Enterprise

How to create Identity information on a datamodel search?

XavG_KS
Loves-to-Learn

Hi,

I just notice a strange behavior in Splunk Identity management and the datamodel. 

Indeed, if I make a search based on "index + sourcetype", my results include all identity information when the user is known.

XavG_KS_0-1691478641933.png

 

But when I execute the same search based on the datamodel (Web in my example), I only have the information that are specifically mention in the data model

XavG_KS_1-1691478771348.png

 

XavG_KS_2-1691478782921.png

 

I don't understand that behavior .. the goals of Splunk ES is to use the DM as much as we can't but we lose information...

 

What am I missing ? 

How can I retrieve all the Identity (and Asset) information with a datamodel search ? 

 

Thanks in advance

Xavier

 

Labels (2)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

What you've experienced is normal.  A data model can display only what is in the DM, just like a index search can display only what is in the index.

Combining data from a DM and an index (or multiple DMs or indexes) is called a correlation and is one of Splunk's reasons for being.  Use the Web.user field to pull identity information.

---
If this reply helps you, Karma would be appreciated.
0 Karma

XavG_KS
Loves-to-Learn

Hi, 

Thanks for the feedback. 

Ok I get it but can you tell me "HOW" do I pull identity information from the Web.user field ? 

 

Because one thing I don't understand is when you say "index search can display only what is in the index", it's wrong as in my example the search is index based BUT it also display user information FROM the asset & identity framework.  Proof is in the log (so in the index) there is no information like managedBy, company, ...

The user's information integration is done automatically by the framework I supposed.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

In your example, data from the index is supplemented by data from lookup files.  You can do the same with data from a data model.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...