Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Issue on using event types as constraints for Data model

Zanusha443
Explorer
‎06-11-2024 10:50 AM

Hi,

I am working in a distributed environment with a SHC of 3 search heads and I am mapping vpn logs to fill certain datasets of my custom version of the Authentication data model (not accelerated for the moment).

The datasets I added to the default authentication Data Model are "Failed_Authentication","Successful_Authentication" and "Login_Attempt", as you can see below:


2024-06-11 18_55_22-Edit Objects_ Authentication _ Splunk 9.2.1.png

 

 

 

 

 

 

 

 

 

 

 

Then, I created an eventtype (with some associated tags) to match specific conditions for an authentication success, as shown below:

1eventtype.png

 

sourcetype=XX action=success signature IN ("Agent login","Login","Secondary authentication","Primary authentication") OR (signature="Session" AND action="success")

 

 

Then, I used the Eventtype as a constraint for the dataset "Authentication.Successful_Authentication" as shown below:

5.png

To test if the constraint is working or not:

  • I used the pivoting button offered by the GUI and it returns me some results!
  • I run in the search app the following SPL and it also returns some results: 

 

index=vpn* tag=authentication eventtype=auth_vpn_success​

 

 

However, if I try to retrieve the same information by using the following SPL (by using tstat), it returns no results:

 

 |tstats summariesonly=f count from datamodel=Authentication where nodename=Authentication.Successful_Authentication

 

Even by running another SPL(based on tstat) to retrieve the eventtypes of the Authentication Data Model it returns no results:

 

| tstats count from datamodel=Authentication  by eventtype

 

 

I tried to troubleshoot the issue with 2 different tests:

  1. Not using the field eventtypes as Dataset constraint. 
  2. Creating another eventtype and using a different Data Model (Change).

 

1) I created a dataset constraint for "Authentication.Failed_Authentication" which is not using either tag or eventtypes, as follow:

4-2auth-failureconstaint_dataset.png

 

action=failure

 

 

And both of the aforementioned tstats SPLs are working now!

 

2) I created another eventtype related to a change log type, as follow:

7.png

 

index=vpn* sourcetype=XX AND "User Accounts modified."

 

 

And I added it as a constraint  for the dataset "All_Changes.Account_Change" :

8.png

And by running the 2 aforementioned tstat SPLs  they return me some results!

 

In conclusion, I suspect there is an issue related to either the tag=authentication (maybe some conflict with other default apps?) or the Authentication Data Model (related to custom datasets I added?).

Do you have any clue of what I could have done wrong ? 

 

Kind Regard,

Z

 

Labels (3)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...