The tag(s) is what connects the event type to the data model. Take notice of the constraints for the child object, specifically the tags (tag = change, tag = account). For this example, we will utilize the Created Accounts child object. Step 6: Identify the appropriate child object(s) within the selected data model. For this example, the Change Analysis data model can be used to fulfill our use case. Search through the CIM data models to find the data model that best matches the use case. Step 5: Through the Splunk GUI, go to Settings > Data models. Pay particular attention to how these event types are tagged. Search = sourcetype=*:Security (signature_id=4720 OR signature_id=4741 OR signature_id=624 OR signature_id=645) For this example, the event type below will fulfill our use case. Search the nf for any event types that may be useful to search for events involving user/computer account creation. For this example, the Splunk Add-on for Microsoft Windows will work for Windows data. Step 2: Search splunkbase for any existing Windows TAs. This means the data should be properly indexed, sourcetyped, etc. Step 1: Make sure Windows data is coming into Splunk according to best practices. This blog will go through an easy, cut through, step by step procedure on how to create a custom search while leveraging the CIM data model.Įxample Use Case: Monitor all Windows user/computer account creation. Happy Splunking.Accelerated data models have made performing searches over large periods of time and/or large amounts of data extremely fast. We will be happy to provide you with the appropriate solution. Also, do not forget to follow us on Social Media. Kindly comment below for more interesting Splunk topics. I hope the above explanation gives you a clear insight into stats commands and their uses. Hence, next time when you see a Splunk dashboard or develop your dashboard, you know to choose the right stats command. The indexed fields are from normal index data, accelerated data models, or tscollect data.
0 Comments
Leave a Reply. |