Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to add new field to existing CIM data model?

vpsmax1
Loves-to-Learn
‎12-09-2022 09:59 AM

Hello.

Using the eval function, trying to add a new field to the Change data model.  When I try to add the new field (ie. time_millis=_time), no results come back from my tstats query.  When I perform the same tstats query using SPL, I am able to get proper values (ie. timestamp with milliseconds).  Does anyone have suggestions on how to add new fields to an existing CIM data model?  Thanks in advance for any advice.

Regards,
Max

 

 

Labels (1)
Labels
0 Karma
Reply

starcher
Influencer
‎12-12-2022 05:57 AM

It is usually a bad idea to aadd anything to one of the stock CIM DataModels. The reason is unlike normal Splunk configurations dadtamodels are stored as JSON files and do NOT benefit of the default/local merging.

So if you edit a DM you now have a full static copy in the local folder that overrides the one in default. So if the stock ones get updated you never see it. You are then in the business of hand adding every little change.

We usually recommend since you have to have a copy anyway make an actual different named copy. So you can not tamper with the stock ones and use your custom one as desired.

0 Karma
Reply

vpsmax1
Loves-to-Learn
‎12-12-2022 06:59 AM

Thanks for your feedback.  I will look at making a copy and using a custom DM.  As for the purpose of adding the fields, can you suggest ways to ...

- Resolve timestamp issues (ie. _time not returning seconds/milliseconds)
- Return _raw as a field (to obtain extra fields/data beyond what the CIM data model offers)

 

0 Karma
Reply

lblystone
Splunk Employee
Splunk Employee
‎01-06-2023 09:54 AM

There are numerous posts on converting timestamps to milliseconds, and formating the _time field (may involve changes to the sourcetype) so the actual syntax/solution will be based on your data set. Here is a good example of converting to milleseconds https://community.splunk.com/t5/Splunk-Search/TimeFormat-conversion-to-millisecond/m-p/212326

If you are looking to search on the _raw field,  adding that to a data model is not advisable. One of its purposes of a data model is to reduce and consolidate the number of fields and size of events to a summary version so adding that field would directly contradict that purpose. I would recommend just using that field for your search or adding additional field extractions to the data and then adding the new fields to the custom DM. 

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...