Hi there, I was ingest new server to new index (Ubuntu with UF) Let say my index is index=ABC I want to connect it in Datamodel, unfortunately im not the first who was create it. And when i che...
See more...
Hi there, I was ingest new server to new index (Ubuntu with UF) Let say my index is index=ABC I want to connect it in Datamodel, unfortunately im not the first who was create it. And when i check it i got error "This object has no explicit index constraint. Consider adding one for better performance." And when i check it in macros `cim_Endpoint_indexes` it only show () When i want to add my new index in that macros i got this 500 server error According from this question : https://community.splunk.com/t5/Knowledge-Management/Adding-index-to-accelerated-CIM-datamodel/m-p/586847#M8722 it said 2 solution : if you don't rebuild the DataModel, Splunk will start to add logs from that index when you save the macro and old events aren't added to the Datamodel, only the new ones, if you rebuild the DataModel, Splunk will add to the DataModel all the events in all indexes contained in the macro until the retention period (e.g. Network Traffic 1month, Authentication 1 year, and so on). Since i know it cannot add from macros, i create new Eventtype and Tag for my new index. And that Eventtype also in Tag like this Eventtype Tag eventtype=ABC_endpoint_event tag=endpoint, tag=asset, tag=network eventtype=ABC_process_event tag=process, tag=endpoint eventtype=ABC_network_event tag=network, tag=communication eventtype=ABC_security_event tag=security, tag=endpoint One from base search in Datamodel Endpoint is using tag=process (`cim_Endpoint_indexes`) tag=process tag=report | eval process_integrity_level=lower(process_integrity_level) From that query it calling tag=process But when i try to running it, it don't show my new index. Anyone can help me to solving this issue ? ~Danke