Hello, I would like to know the aim of this default constraint : (`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$) action="success" Especially what does ...
Hello, I have been working on Splunk for a few months now, and we are using Splunk mainly for Cyber Security monitoring. I am wondering with regards to data model (CIM) should I create separate d...
...ACCELERATE_ I accessed the Data Models page and expanded the CIM Validation (S.o.S) data model. The information I got is: "Access Count: 0 - Last Access: -) while size is 750MB and frequently updated. My q...
We are currently using a Splunk Enterprise environment with one search head and one indexer. We enabled data model acceleration because the performance of the search became poor as we used the s...
Hi 🙂 i'm new hier and i still don't understand the difference between summary indexing and data modeling. When should I use each? Or which is the best option for optimizing searches?
Greetings, I'm finally tackling the topic of data models within my organization, and am coming across situations I am needing to solve for. 1. Windows authentication data which has a null values i...
Hi all,
Kindly help to modify Query on Data Model network traffic , I have built the query index=firewall sourcetype="traffic" | stats ,values(dest_port) as d...
Hi All, I'm not that familiar with DMA as I have not had any exposure really to setting up data models so far but am currently having an issue atm with DMA not saying active. We had to disabled D...