Managing Datamodels and Sets

LogoSplunk Docshelp.splunk.com

To look inside a data model to see if the correct data is there

| datamodel Authentication Authentication search

To look at the Data model itself "Generics"

| datamodel Authentication

With the output

  • objectNameList

    • List of all the different datasets that are apart of the data-model

  • objectSummary

    • high level summery of dataset

  • objects

    • Detailed configuration of each dataset stored, may show only the root authentication dataset

Count each tag in datamodel for ingested data

If there is any events in the tag, good to see what datamodel has a event

* | stats count by tag
| search tag IN ("authentication","email","ids","malware","network","endpoint","web","vulnerablity")
| sort - count

Failed Auth

Check if you have any failed auth in datamodel

| from datamodel:"Authentication"."Failed_Authentication"

PreviousTemplate for python data pusherNextUse detection versioning in Splunk Enterprise

Last updated