Splunk Search

Actions in regards to events coming in

domino30
Path Finder

We have searches for 4740 account lockouts not showing as action=lockout but instead as action=modified.

This is important to us as we are trying to configure ES but that's one dashboard where we aren't getting any results.

Where do we go to fix this?

 

Also whenever you get a a source or field that shows as "unknown" whats the best way to go about fixing these?

Labels (4)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @domino30,

yes, calculated fields (like the one you shared) are one of the methods to normalize data.

Let me know if you solved your issue.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @domino30,

this job is called "normalization", in other words, you have to create some sules (using reneme and calculated fields) to align yur values with the waited ones.

In your case, you have to add to your Add-On a custom calculated field like the following:

| eval action=if(EventCode=4740 AND action="lockout","modified",action)

you can find more infos at https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Normalizing_values_to_a_comm... and at https://docs.splunk.com/Documentation/CIM/5.1.1/User/Overview

Ciao.

Giuseppe

domino30
Path Finder

like this 444.PNG

 Like this?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @domino30,

No, this is the possibility to add fields to a DataModel.

You have to create (usually in an Add-On) a calculated field [Settings > Fields > Calculated Fields] that makes the transformation BEFORE an event is added to a Datamodel.

In other words, the process is the following:

  • events are tagged using eventtypes in the Add-Ons (for this reason, before using an Add-On check the CIM compliance or create a CIM compliant Add-On),
  • fields are renamed in the Add-Ons to have the field names predefined for that Data Model,
  • values are normalized using calculated fieds in the Add-Ons,
  • the scheduled searches populate the Data Model adding all the fields already normalized.

for more infos see at https://docs.splunk.com/Documentation/CIM/5.1.1/User/Overview

Ciao.

Giuseppe

0 Karma

domino30
Path Finder

like this? btw its working now just confirming something

like this solved.PNG

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @domino30,

yes, calculated fields (like the one you shared) are one of the methods to normalize data.

Let me know if you solved your issue.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...