Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Actions in regards to events coming in

domino30
Path Finder
‎06-22-2023 09:08 AM

We have searches for 4740 account lockouts not showing as action=lockout but instead as action=modified.

This is important to us as we are trying to configure ES but that's one dashboard where we aren't getting any results.

Where do we go to fix this?

 

Also whenever you get a a source or field that shows as "unknown" whats the best way to go about fixing these?

Labels (4)
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-06-2023 11:09 PM

Hi @domino30,

yes, calculated fields (like the one you shared) are one of the methods to normalize data.

Let me know if you solved your issue.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-22-2023 11:39 PM

Hi @domino30,

this job is called "normalization", in other words, you have to create some sules (using reneme and calculated fields) to align yur values with the waited ones.

In your case, you have to add to your Add-On a custom calculated field like the following:

| eval action=if(EventCode=4740 AND action="lockout","modified",action)

you can find more infos at https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Normalizing_values_to_a_comm... and at https://docs.splunk.com/Documentation/CIM/5.1.1/User/Overview

Ciao.

Giuseppe

Reply
Solved! Jump to solution

domino30
Path Finder
‎06-29-2023 10:43 AM

like this 444.PNG

 Like this?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎06-30-2023 12:19 AM

Hi @domino30,

No, this is the possibility to add fields to a DataModel.

You have to create (usually in an Add-On) a calculated field [Settings > Fields > Calculated Fields] that makes the transformation BEFORE an event is added to a Datamodel.

In other words, the process is the following:

  • events are tagged using eventtypes in the Add-Ons (for this reason, before using an Add-On check the CIM compliance or create a CIM compliant Add-On),
  • fields are renamed in the Add-Ons to have the field names predefined for that Data Model,
  • values are normalized using calculated fieds in the Add-Ons,
  • the scheduled searches populate the Data Model adding all the fields already normalized.

for more infos see at https://docs.splunk.com/Documentation/CIM/5.1.1/User/Overview

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

domino30
Path Finder
‎07-06-2023 03:00 PM

like this? btw its working now just confirming something

like this solved.PNG

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-06-2023 11:09 PM

Hi @domino30,

yes, calculated fields (like the one you shared) are one of the methods to normalize data.

Let me know if you solved your issue.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...