Versions Compared

Old Version 1

changes.mady.by.user Seth Marek

Saved on

compared with

New Version Current

changes.mady.by.user Seth Marek

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Category: Problem

Priority: Normal

Platform: Splunk

Version: 1 from 08.11.2022

Description

The Certificates.SSL CIM dataset does not return STRUST data as expected. Instead, the STRUST data will only appear when calling from the broader Certificates data model, and no SSL-related fields are found in the search results.

...

Cause

The applicable tag is missing from the STRUST event type, excluding the data from the SSL dataset.

Resolution

Add the “ssl” tag to the event type with the following procedure:

  1. Go to Settings > Event types

  2. Search for the “event_type_STRUST” event type

  3. Click on the event type

  4. Add the “ssl” tag next to the “certificate” tag

  5. Save

  6. After a few minutes, try searching again

...

Image RemovedImage RemovedImage RemovedCIM Mapping included with the app is not functioning properly in one of two ways:

  1. The expected data is not being returned from a given dataset

  2. The expected fields are not automatically found in the CIM-mapped data

Cause

  1. The expected data is not being returned from a given dataset
    This is likely an issue with the Splunk Event Type, whether from the event type definition or the tags associated with the event type.
    CIM datasets use event types to define the base search for that data. Tags attached to the event type define which models fit the data.
    If the expected data is not being returned from a given dataset, it is possible that the correct tags have not been assigned to the event types.

  2. The expected fields are not automatically found in the CIM-mapped data
    PowerConnect’s CIM mapping uses a series of sourcetype-linked field calculations (found in Settings > Fields > Calculated Fields).
    If the expected field is not populating (or instead populating as “Unknown”), then either…

    1. the calculated field definition may not match the source data, or

    2. the result of the calculated field does not conform to the expected value for that field in the data model

In both cases, the field calculation must be modified to provide the correct data.

It is encouraged that only an experienced Splunk power user should make these changes. Otherwise, please contact support@powerconnect.io to help resolve this issue.

Table of Known Issues

This table will be filled in as issues are discovered.

Knowledge Objecct Type

Knowledge Object Name

Fix