splunk>enterprise
Administrator ▾Settings ▾
ES
Enterprise Security
Splunk App for Enterprise Security · v7.3.0
DAY 16 LAB · LAB 16 — VALIDATE CIM COMPLIANCE· week 3
Validate CIM compliance on the Authentication data model.
- ›Run pre-loaded tstats validation query.
- ›Identify any sourcetype missing the action field.
- ›Plan a fix via eventtype + tag.
Hint: Missing action field = sourcetype not CIM-compliant. Fix at search-time first, props.conf second.
New Search
supported: search field=value (wildcards) · stats count by f1,f2 · where field op N · sort -field · top N field · head N · table f1 f2