ไม่สามารถเล่นวิดีโอนี้
ขออภัยในความไม่สะดวก
Splunk Data Models Restricting to Specified Indexes
ฝัง
- เผยแพร่เมื่อ 21 พ.ย. 2022
- Splunk Datamodels - especially if they are accelerated - need to be restricted to specified indexes to increase performance. This video will walk through how to specify which indexes to use in a data model.
Splunk Data Models and why you should use them • Splunk Data Models - W...
Getting the data model restricted to specific indexes • Splunk Data Models Res...
Eventtypes for the data model • Splunk Data Models and...
Tagging the data for the data model • Splunk Data Models and...
Field aliasing for the data model • Splunk Data Model Fiel...
Converting a normal query into a tstats query - • Splunk How to Convert ...
Visit our discord channel to post questions and suggestions for what you want to learn. / discord
The latest L.A.M.E. Splunk apps are available at
www.github.com/lameCreations
My mind is blown. Amazing stuff!!!
Keep up the great work. This is the type of content I was looking for made easy and to the point !
Glad to hear it!
also first step after installing ES is define "stub" index to all DM`s whitelist.
Can I restrict user's permissions to one index in data model? I have 3 indexes in data model, and don't want user to be able to see events from particular index
You restrict groups to an index. Than when you set the whitelisting for an index on a datamodel, if the user does not have access to that index, they should not see the results of that index. I would have to test it, but I would assume if you accelerate that data model, than the user "WOULD" have the permissions to see the data that came out of that index. That is my hunch, not certain, but I am pretty certain that if they run a tstats query on the accelerated data, they would have access to the accelerated data from that restricted index. Hope that makes sense.
Thank you for this informative video, very useful. Can you please explain the field under CIM setup and the tags in the data model constraint? for example, in the CIM set up for data model Network Traffic, the Tags whitelist are cloud,pci. However, in the Data Model set up, the tags in the constraint are defined as tag=network tag=communicate. Please explain why we dont have the save tags.
Great Question. I did some research on the topic and this is what I found. The data models have a field called tag that can be called - for example
| tstats count from datamodel=Network_Traffic groupby All_Traffic.tag
is a query that will return all tags, but it only returns tags that are in that whitelist. So you can tag your data with all sorts of tags, but only pci, and cloud are part of the data model. This can be helpful if you want to only show network traffic that pci or cloud based. Lets you restrict down some of your searches. Of course you are going to need to create an eventtype that covers all of your pci or cloud traffic and gives it those tags.
Hope this helps.