×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
unclemoose
Engager
Member since: ‎08-10-2025
‎08-11-2025
Community Statistics
Posts 2
Solutions 0
Karma Given 5
Karma Received 0
Member Since ‎08-10-2025
Activity Feed
View All

Re: Authentication tag not being applied

by in Knowledge Management
‎08-11-2025 11:29 AM
‎08-11-2025 11:29 AM
This lead me to the solution! I tried looking for eventtype=account_locked and got nothing. Turns out that my eventtypes were not global. Not only that but I needed to make a copy of my tags.conf in the search app instead of it being local to the app [logstream]. ... View more

Authentication tag not being applied

by in Knowledge Management
‎08-10-2025 03:12 PM
‎08-10-2025 03:12 PM
I am trying to learn SIEM tech and am at the stage where im trying to use/setup Splunk CIM. My pipeline uses fake logs and I am trying to get them to show up with the Authentication data model. However it seems like the authentication tag is not being applied.  (files shortened ) My eventtypes.conf: [account_locked] search = sourcetype="logstream" action="failure" signature="Account locked" tags = authentication, failure, account_locked My tags.conf: [eventtype=account_locked] authentication = enabled failure = enabled account_locked = enabled and my props.conf: [logstream] TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%:z TIME_PREFIX = "\"_time\": \""" MAX_TIMESTAMP_LOOKAHEAD = 30 INDEXED_EXTRACTIONS = json FIELDALIAS-src_user_for_user = user AS src_user FIELDALIAS-src_for_src = src AS src FIELDALIAS-dest_for_dest = dest AS dest FIELDALIAS-app_for_app = app AS app FIELDALIAS-dest_for_dest = dest AS dest     Now what is really stumping me here is that no event types are being recognized. However, if I search for those logs by doing the command I used for the event type,  I get the results and logs I am looking for: search = sourcetype="logstream" action="failure" signature="Account locked" A couple of things I confirmed: - HEC token is correct - The Field Aliases are compliant with the  Authentication Data Model  ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-11-2025 11:24 AM
Karma given to