Knowledge Management

Custom add-on created , log are getting tagged however data is not getting accelerating in data model

sumitkathpal
Explorer

Hi All,

we created a custom add-on for crowdstrike and logs was in _json format . We did receptive tagging and used field alias to map with CIM . Now we can see the logs getting tagged and also can see field alias fields values however when we search in data model crowdstrike logs are not getting accelerated .

Request your help to troubleshoot the issue.

0 Karma
1 Solution

tiagofbmm
Influencer

For new data in new indexes to be reachable by a CIM Data Model, did you add the index in the CIM Configuration so Splunk starts to actually search for it?

If you have, another thing is, have you tried to do the DataModel base search and see if your tags and evenntypes are correct? Go to DataModels, select the one your are expecting that data to be matched against, grab the DataSet search and run it.

Let me know what is the scenario please

View solution in original post

0 Karma

tiagofbmm
Influencer

For new data in new indexes to be reachable by a CIM Data Model, did you add the index in the CIM Configuration so Splunk starts to actually search for it?

If you have, another thing is, have you tried to do the DataModel base search and see if your tags and evenntypes are correct? Go to DataModels, select the one your are expecting that data to be matched against, grab the DataSet search and run it.

Let me know what is the scenario please

0 Karma

sumitkathpal
Explorer

Thanks , I created the new index for new source and my CIM configuration were specfic to indexes .
however my one of the tagging not working rest all started working .

I saw in network traffic CIM config , tag "pci" only whitelisted ?

0 Karma

p_gurav
Champion

Are you able to search data in data model without acceleration?

0 Karma

sumitkathpal
Explorer

Nope................

0 Karma

p_gurav
Champion

Can you search root object search in search bar?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...