![]() ![]() Running 6.5.2, upgrading to 7.0.2 imminently, so don't want to drag any bad config with us. Since the execution is additive, I know the search is still effectively index=any AND index=$myauthindexes$ which essentially evaluates to just index=$myauthindexes$ but I had never noticed this before, and cant help wonder if we have something funny going on.īe interested to hear if others have the same, and any thoughts on why this was implemented if it was by design. I know it is a bit late but for those that have the same problem and land on this page (like myself): The problem setting is 'autosummaryperc' in nf. The search which gets executed is: | search (index=* OR index=_*) ((`cim_Authentication_indexes`) tag=authentication NOT (action=success user=*$)) |.Īside from the argument that index=* is generally agreed to be bad practice (and * or _* is even worse) I am trying to understand if this is common to other deployments or if we have somehow introduced this. ![]() The expectation following such, is that when the DataModel runs it need only look for events in those specific indexes, and specifically excludes every other index. You would enter something along the lines of: (index=authentication_index OR index=other_auth_index) and save that in the Macro. If I search on indexcisco tagweb, I get the exact same results. ![]() If I run the CIM Validator using that search, it comes back with 48 compliant. Summarized data will be available once youve enabled data model acceleration for the data model NetworkTraffic. In order to reduce the resources utilization, reduce number of concurrent searches to one. In this search summariesonly referes to a macro which indicates (summariesonlytrue) meaning only search data that has been summarized by the data model acceleration. Its a clustered environment with six indexers and a single search head. Additional note: By default data models are configured to run three concurrent acceleration instances per data model, which can contribute to more resource usage at the indexers. The cimWebindexes macro is: (indexcisco OR indexf5). I have installed the CIM app done all of the event typing and tagging to get my data into the data models relevant to my environment. The intent of this is that you edit the macro to specify only the relevant indexes for that DataModel. Take the Web data model - ( cimWebindexes) tagweb is the root level search. The DataModel specifies a macro as its criteria: cim_Authentication_indexes Websites, IT & Software Mobile Phones & Computing Writing & Content Design, Media & Architecture Data Entry & Admin Engineering & Science Product Sourcing. Looking at a specific CIM DataModel (Authentication for example): Murray SeptemCIM Data Model Optimizations The Splunk community has rallied around the concept of data models, and why not Normalizing data into common field sets helps to build use cases regardless of what vendor your data comes from. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |