A Technical Guide to Splunk Data Models
A Technical Guide to Splunk Data Models
Splunk Data Models are essential for organizing and accelerating searches, providing structured data for Splunk’s Pivot interface and creating efficient dashboards. This guide will walk you through the processes of creating, filling, maintaining, validating, and requesting data from Splunk Data Models.
Creating a Splunk Data Model
- Log in to Splunk: Access your Splunk instance through your web browser.
- Navigate to Data Models: Go to
Settings > Data models
. - Create New Data Model:
- Click on
New Data Model
. - Enter a
Title
and an optionalID
andDescription
. - Choose the
Permissions
(private or shared in an app). - Click
Create
.
- Click on
- Add Data Model Objects:
- Click on
Add Object
. - Choose the
Root Event Object
orRoot Search Object
. - Provide an
Object Name
,Display Name
, andDescription
. - Define the
Constraint
(base search).(`cim_Vulnerabilities_indexes`) tag=vulnerability tag=report
- Add
Fields
(auto-extracted or manually defined).
- Click on
-
Save the Data Model: Click
Save
to store the Data Model. - Use Accelerations (recommendet after development)
- Enable acceleration for faster search performance.
- Navigate to the Data Model, click
Edit > Edit Acceleration
. - Check
Accelerate
and set theSummary Range
. - Click
Save
.
Maintaining a Splunk Data Model
- Regular Updates:
- Periodically review and update the Data Model to align with any changes in your data sources or organizational requirements.
- Manage Permissions:
- Ensure appropriate access controls by updating permissions.
- Go to
Settings > Data models
, select the Data Model, and clickEdit Permissions
.
- Optimize Performance:
- Monitor the performance of accelerated Data Models.
- Adjust the summary range or constraints as necessary.
Validating a Splunk Data Model
- Use the Datamodel “CIM Validation (S.o.S.)”:
Is only availiable for internal Datamodels
- Select Settings > Data models
- Locate the CIM Validation (S.o.S.) data model and in the Actions column, click Pivot.
- Click one of the following to create the Pivot:
- Top level dataset
- Missing extractions
- Untagged events
- Use the datamodelsimple command
The datamodelsimple
command in Splunk is designed to retrieve and explore the structure of data models, including listing available models, objects within a model, and attributes of a specific object.
# List All Data Models
| datamodelsimple type=models
# List all objects in a specific datamodel
| datamodelsimple type=objects datamodel=Authentication
# List Attributes for a Specific Object in a Data Model
| datamodelsimple type=attributes datamodel=Authentication nodename=Authentication.Failed_Authentication
- open the app “CIM Vladiator”
- Search Type: Datamodel
- Target datamodel:
<your Model>
- Search:
| datamodel Vulnerabilites search
index=vulnerabilities
Requesting Data from a Splunk Data Model
# | datamodel
| datamodel <DataModelName> <ObjectName> search
# tstats
| tstats count FROM datamodel=Network WHERE ip=10.9.8.7 by <Fields>
| tstats count
FROM datamodel=Network.Network_Traffic
WHERE src=10.9.8.7
BY Network_Traffic.src, Network_Traffic.dest, Network_Traffic.action
source
Splunk How to use the CIM data model Splunk Use the CIM to validate your data Splunk Common Information Model Add-on Manual Splunk Use the CIM to normalize CPU performance metrics Splunk Base - SA-cim_vladiator