Hi there,
Is it possible to search for windows interactive logons from the Authentication data model?
eg. I can do it this way:
index=* source="*WinEventLog:Security" LogonType=2 OR LogonType=10 OR LogonType=11
And I'm looking for an equivalent way using a data model eg:
| tstats summariesonly=true count from datamodel=Authentication by Authentication.action Authentication.app Authentication.dest Authentication.signature Authentication.src Authentication.src_user Authentication.user
|search <SOME LOGIC>
Thank you!
@dbroggy - The Authentication data model does not have a field called "LogonType".
If this is the only query and performance is not a big problem I would suggest writing a regular query rather than creating a cloned version of data model as that will create additional search loads on Splunk servers.
If performance is a big problem you can use summary indexing or report acceleration as that would be much better for overall Splunk performance.
I don't see any fields in the datamodel which would map to the LogonType value. So you can't search for it from the existing datamodel. You'd have to make a copy of the datamodel and add new field to it.
But the question is whether there is a point since the CIM datamodels are meant to serve as a layer of abstraction separating the search using the datamodel from the gory details of particular data implementation. And your LogonType field is very implementation-specific. So from the data engineering point of view, it's not s pretty solution. If you want to have it only because you want to use data model acceleration, there are other ways to accelerate your searches.