Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to make action field CIM compliant

Haleb
Path Finder
‎04-17-2024 05:03 AM

I need to bring events related to creating and changing a user in the application to this CIM (Change->Account Management). To do this, I need the following values to be specified in the action field - acl_modified, cleared, created, deleted, modified, stopped, lockout, read, logoff, updated, started, restarted, unlocked according to this documentation. The problem is that the action field already exists in events with the following values - create, delete and it is used not only to describe actions with users but also for other objects. What method can you recommend to make the field CIM compliant?
Event example:

{ [-]
   action: delete
   actor_details: { [+]
   }
   actor_uuid: 11111111
   location: { [+]
   }
   object_details: { [+]
   }
   object_type: user #Also can be item, vault, etc
   object_uuid: 333333333
   session: { [+]
   }
   timestamp: 33213123
   uuid: 4444444
}

 

Labels (2)
Tags (2)
0 Karma
Reply

marnall
Motivator
‎04-17-2024 01:13 PM

Assuming you are only cim-normalizing Change->Account Management, you could filter the logs to object_type=user

Make an eventtype with search string:

<yoursearch>
| search object_type=user
```Or put the above search filter in the first line of your search```

And set the tags to "change,account"

Then you can make the action field cim-compliant by making a calculated field:

Name: action
Eval expression: case(action="create","created",action="delete","deleted",1=1,action)

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...