Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue on using event types as constraints for Data model

Zanusha443
Explorer
‎06-11-2024 10:50 AM

Hi,

I am working in a distributed environment with a SHC of 3 search heads and I am mapping vpn logs to fill certain datasets of my custom version of the Authentication data model (not accelerated for the moment).

The datasets I added to the default authentication Data Model are "Failed_Authentication","Successful_Authentication" and "Login_Attempt", as you can see below:


2024-06-11 18_55_22-Edit Objects_ Authentication _ Splunk 9.2.1.png

 

 

 

 

 

 

 

 

 

 

 

Then, I created an eventtype (with some associated tags) to match specific conditions for an authentication success, as shown below:

1eventtype.png

 

sourcetype=XX action=success signature IN ("Agent login","Login","Secondary authentication","Primary authentication") OR (signature="Session" AND action="success")

 

 

Then, I used the Eventtype as a constraint for the dataset "Authentication.Successful_Authentication" as shown below:

5.png

To test if the constraint is working or not:

  • I used the pivoting button offered by the GUI and it returns me some results!
  • I run in the search app the following SPL and it also returns some results: 

 

index=vpn* tag=authentication eventtype=auth_vpn_success​

 

 

However, if I try to retrieve the same information by using the following SPL (by using tstat), it returns no results:

 

 |tstats summariesonly=f count from datamodel=Authentication where nodename=Authentication.Successful_Authentication

 

Even by running another SPL(based on tstat) to retrieve the eventtypes of the Authentication Data Model it returns no results:

 

| tstats count from datamodel=Authentication  by eventtype

 

 

I tried to troubleshoot the issue with 2 different tests:

  1. Not using the field eventtypes as Dataset constraint. 
  2. Creating another eventtype and using a different Data Model (Change).

 

1) I created a dataset constraint for "Authentication.Failed_Authentication" which is not using either tag or eventtypes, as follow:

4-2auth-failureconstaint_dataset.png

 

action=failure

 

 

And both of the aforementioned tstats SPLs are working now!

 

2) I created another eventtype related to a change log type, as follow:

7.png

 

index=vpn* sourcetype=XX AND "User Accounts modified."

 

 

And I added it as a constraint  for the dataset "All_Changes.Account_Change" :

8.png

And by running the 2 aforementioned tstat SPLs  they return me some results!

 

In conclusion, I suspect there is an issue related to either the tag=authentication (maybe some conflict with other default apps?) or the Authentication Data Model (related to custom datasets I added?).

Do you have any clue of what I could have done wrong ? 

 

Kind Regard,

Z

 

Labels (3)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...