Hi All, trying to identify what data source/sourcetype is needed for each individual field while performing DataModelCIM normalization. For example for Endpoint->Ports/Data Set (https://d...
I want to add some fields to a data-model that comes with the Common Information Model app but I want to avoid rebuilding my data-models (since rebuilding the data-models is time and resource i...
...After upgrading the Splunk Enterprise search head from 6.6.x to 7.1.x, the datamodels are not displaying the raw fields extracted with the source type. Instead, they are only displaying the fieldsassociated...
...hen I perform the same tstats query using SPL, I am able to get proper values (ie. timestamp with milliseconds). Does anyone have suggestions on how to add new fields to an existing CIMdatamodel...
Hello, I would like to know the aim of this default constraint : (`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$) action="success" Especially what d...
...llowed or blocked.
I edited my props.conf and added new EVAL command with the same field name 'action' (EVAL-action = ...).
This change affect the way my app users will need to look for their data...
...ACCELERATE_ I accessed the DataModels page and expanded the CIM Validation (S.o.S) datamodel. The information I got is: "Access Count: 0 - Last Access: -) while size is 750MB and frequently updated. My q...
...earch that calculates a large number of extra fields through evals and lookups. I want to speed up and generalize this search by mapping to a CIMdatamodel. Which fields should I leave in the search (a...
When developing CIM compliant add-on, is it mandatory to map ALL of my datafields to the datamodel's fields?
Does that affect/keep my data from appearing in ES?
I have an environment with a large number of sourcetypes and would like to map those to the appropriate CIMdatamodel. While I generally know about the Splunk commands pivot and datamodel, their u...