Hello, I would like to know the aim of this default constraint : (`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$) action="success" Especially what d...
...ultiple indexes linked to it. Shall I actually use the default datamodel in CIM, eg datamodel=Authentication with all the indexes in DMZ, ZoneA and ZoneB, or should I make copies of datamodel? S...
Greetings, I'm finally tackling the topic of datamodels within my organization, and am coming across situations I am needing to solve for. 1. Windows authentication data which has a null values i...
...models, I have a question regarding the storage location and method of accelerated data. If thedata is accelerated, does thedatamodel summary folder store the complete accelerated data or will i...
...ACCELERATE_ I accessed theDataModels page and expanded the CIM Validation (S.o.S) datamodel. The information I got is: "Access Count: 0 - Last Access: -) while size is 750MB and frequently updated. My q...
We are currently using a Splunk Enterprise environment with one search head and one indexer. We enabled datamodel acceleration because the performance of the search became poor as we used the s...
Hi 🙂 i'm new hier and i still don't understand the difference between summary indexing and datamodeling. When should I use each? Or which is the best option for optimizing searches?
Hi all,
Kindly help to modify Query on DataModel network traffic , I have built the query index=firewall sourcetype="traffic" | stats ,values(dest_port) as d...