Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Actions in regards to events coming in

domino30
Path Finder
‎06-22-2023 09:08 AM

We have searches for 4740 account lockouts not showing as action=lockout but instead as action=modified.

This is important to us as we are trying to configure ES but that's one dashboard where we aren't getting any results.

Where do we go to fix this?

 

Also whenever you get a a source or field that shows as "unknown" whats the best way to go about fixing these?

Labels (4)
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-06-2023 11:09 PM

Hi @domino30,

yes, calculated fields (like the one you shared) are one of the methods to normalize data.

Let me know if you solved your issue.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-22-2023 11:39 PM

Hi @domino30,

this job is called "normalization", in other words, you have to create some sules (using reneme and calculated fields) to align yur values with the waited ones.

In your case, you have to add to your Add-On a custom calculated field like the following:

| eval action=if(EventCode=4740 AND action="lockout","modified",action)

you can find more infos at https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Normalizing_values_to_a_comm... and at https://docs.splunk.com/Documentation/CIM/5.1.1/User/Overview

Ciao.

Giuseppe

Reply
Solved! Jump to solution

domino30
Path Finder
‎06-29-2023 10:43 AM

like this 444.PNG

 Like this?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-30-2023 12:19 AM

Hi @domino30,

No, this is the possibility to add fields to a DataModel.

You have to create (usually in an Add-On) a calculated field [Settings > Fields > Calculated Fields] that makes the transformation BEFORE an event is added to a Datamodel.

In other words, the process is the following:

  • events are tagged using eventtypes in the Add-Ons (for this reason, before using an Add-On check the CIM compliance or create a CIM compliant Add-On),
  • fields are renamed in the Add-Ons to have the field names predefined for that Data Model,
  • values are normalized using calculated fieds in the Add-Ons,
  • the scheduled searches populate the Data Model adding all the fields already normalized.

for more infos see at https://docs.splunk.com/Documentation/CIM/5.1.1/User/Overview

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

domino30
Path Finder
‎07-06-2023 03:00 PM

like this? btw its working now just confirming something

like this solved.PNG

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-06-2023 11:09 PM

Hi @domino30,

yes, calculated fields (like the one you shared) are one of the methods to normalize data.

Let me know if you solved your issue.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...