Splunk Enterprise Security

ES 3.3 Data nodels showing Unknown values

masiddiqu
Explorer

Hi,
I have two index node cluster and one dedicated search head for ES APP. installed Splunk_TA for cisco ASA on the forwarders, indexers and search head . we are able to index the data with sourcetype=cisco:asa.

When we search the data with search app we are able to get all the fields properly including the TAGs required for ES APP. (Ex: src, dst, network etc)

but when we open with data models in the ES APP, most of the fields are showing unknown value. how to troubleshoot this

siddiqu.T

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

If ES loaded the data into the data models before you installed the splunk_TA_cisco-asa on the ES Search Head, these values will show as unknown.

You need to rebuild the data model for this to be corrected.

You should browse the data model and confirm that the data is tagged correctly however. Follow the ES documentation based on your datamodel and dashboard :

http://docs.splunk.com/Documentation/ES/3.1.1/User/AdditionalNetworkdashboards
http://docs.splunk.com/Documentation/CIM/latest/User/Howtousethesereferencetables

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

Hello, when you do a search from the ES app, do you saw also the tags and the normalized data from the TA ?

0 Karma
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...