Hello Experts,
We tried to add the web data into the Web data model using the eventtypes and tags and I was successful in creating those to Normalize the data. I did the searched for the web data and saved it as eventtype in eventtypes.conf in Splunk_SA_CIM/local/ and then in the tags.conf gave a tag for that eventtype to match data to data model using the tag.
My question here is do i need to give the tag name as 'Web' (The name of the data model) or create a child and like 'proxy' and give the tag name as proxy ?.
The other question is I'm trying to test if the data is linked to the data model.
I used a search [|datamodel Web]
The result is as follows, It is showing the structure of the datamodel.
{ [-]
description: Web Data Model
displayName: Web
modelName: Web
objectNameList: [ [-]
Web
Proxy
zscaler
]
objectSummary: { [-]
Event-Based: 3
Search-Based: 0
Transaction-Based: 0
}
objects: [ [+]
]
}
Show as raw text
When I tried to search [|datamodel Web proxy search]
It is shown there is no result found.
Please help me giving the write tag in tags.conf to link data to the datamodel and searching the data using that datamodel
... View more