- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Setting alias for multivalued field for ES/CIM com...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I created an alias for the X_MS_Forwarded_Client_IP (ADFS events) to equal to src. The X_MS_Forwarded_Client_IP is a multivalue field which leads me to a few questions:
1) We are running ES so do I need to do anything further to ensure that the new src field for the ADFS logs is included in the data model and CIM compliant? The app I created the initial alias was under Search & Reporting (search). Should this alias be under a different app, or does creating an alias and setting permission to all apps satisfy that requirement?
2) Do I need to make any additional config changes due to the field being multivalued? Right now for searches, I add | makemv delim="," src at the end to break them out. I worry with ES data models/CIM so additional configuration might need to be made to break them out automatically
Thx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your sourcetype/index is already included in the datamodel for your use cases, it will automatically pick the 'src' field as per the datamodel. If you don't want the values to be MV, you can convert to single values using fields.conf - TOKENIZER.
Its generally a good practice to have your changes in a custom app or one of the existing app and not in search and reporting. If you want your knowledge objects to be visible for other apps, yes, it should be global permission. [ you can also put all your changes in an app and setup export].
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thx for the reply and information - greatly appreciated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your sourcetype/index is already included in the datamodel for your use cases, it will automatically pick the 'src' field as per the datamodel. If you don't want the values to be MV, you can convert to single values using fields.conf - TOKENIZER.
Its generally a good practice to have your changes in a custom app or one of the existing app and not in search and reporting. If you want your knowledge objects to be visible for other apps, yes, it should be global permission. [ you can also put all your changes in an app and setup export].
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
