Splunk searches relating to Datamodels
clear
| rest splunk_server=local /servicesNS/-/Splunk_SA_CIM/data/models | fields title eai:data | spath input=eai:data path=objects{}.fields{} output=fields | mvexpand fields | spath input=fields | fields - eai:data fields
0 comments
[0]
[0]
[0]
[0]
| from datamodel:"Authentication"."Authentication"
| search action=failure OR action=success
| streamstats window=0 current=true reset_after="(action=\"success\")" count as failure_count by user
| where action="success" and failure_count > 10 | stats values(failure_count) as failure_count by user
0 comments
[0]
[0]
[0]
[0]
| datamodel Network_Traffic All_Traffic search | dedup All_Traffic.dest | stats count by All_Traffic.src_ip, All_Traffic.dest,All_Traffic.action
0 comments
[1]
[0]
[1]
[0]