Re: Data model not picking up field alias

responsys_cm · ‎07-17-2018

I have installed the Suricata TA on my Splunk box. I am verifying that the data is flowing into the Intrusion Detection data model correctly.

The Suricata TA has the following field alias:

FIELDALIAS-suricata_global = proto AS transport src_ip AS src dest_ip AS dest

The following search shows the values of the "src" field correctly, but the "dest" field has thousands of events where "dest" is "unknown":

| datamodel Intrusion_Detection Network_IDS_Attacks search

But if I run this search on the raw events, I only see events that don't have the "dest" field in them:

sourcetype=suricata NOT dest=*

Can anyone think of a reason why two fields defined in the same FIELDALIAS- command would only have one of them populate with the values correctly? Both the src_ip and dest_ip fields are in the events, but the data model can't see the values for dest/dest_ip for some reason...

claudio_manig · ‎02-12-2019

I know its an old post but i had the same problem-
Solution was that i extracted all my fields using a delims transforms on a dedicated field extraction (basically the _raw event without header data). Now the datamodel was not aware of the underlying field extraction. Adding it as a field of the datamodel did the trick and all other fields showed up.

HiroshiSatoh · ‎07-17-2018

Is alias' permission global?

responsys_cm · ‎07-17-2018

I should also add that when I ran | datamodel Certificates search, the dest field is populating properly in that datamodel.

Neither datamodel is accelerated yet.

zschmerber · ‎06-18-2019

I have the same problem Suricata 2.3.3:
FIELDALIAS-suricata_global = proto AS transport src_ip AS src dest_ip AS dest
The alias is not adding dest to the logs that are tagged with tag=attack OR tag=ids.

Data model not picking up field alias

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk

Modern way of developing distributed application using OTel