Re: How to troubleshoot why SA-cim_validator is sh...

responsys_cm · ‎01-03-2017

I'm using the Splunk CIM Validator app to validate that data is flowing into my Splunk Enterprise Security data models correctly. For a number of the data models, the app shows 0% compliance because there are no values extracted for any of the fields in the data model.

Yet when I run the search used by the data model, I see all of the fields that the CIM Validator is complaining about being extracted properly.

I have no idea how to troubleshoot this...

mreynov_splunk · ‎01-03-2017

This may be permissions issue...
When you say "search used by the data model" - are you using the pivot feature?

responsys_cm · ‎01-03-2017

I'm logged in as the admin user. Take the Web data model -- (cim_Web_indexes) tag=web is the root level search. The cim_Web_indexes macro is: (index=cisco OR index=f5). If I run the CIM Validator using that search, it comes back with 48% compliant.

If I search on index=cisco tag=web, I get the exact same results. If I search on index=f5 tag=web, the CIM Validator finds zero events. But if I run that same search outside the CIM Validator app, I see results just fine.

mreynov_splunk · ‎01-03-2017

CIM validator is stricter, I guess.

How to troubleshoot why SA-cim_validator is showing 0% compliance for data models that do have field values extracted properly?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk