'How to use Splunk CIM Data Model
I am trying to understand how to write an Eval statement in Splunk and the documentation isn't helpful. Specifically, I am looking at the Malware CIM Data Model there is a field called "Malware_Attacks" with prescribed values of: critical, high, medium and low. How do I create an eval statement using this CIM Field and the prescribed values and apply it into my regex I created separately in capture groups?
Thanks Jack
I have tried the Splunk CIM Data Model documentation and it doesn't go into detail on prescribed values and how to apply the CIM Data Field in question on how to incorporate it into writing an eval statement
Solution 1:[1]
The severity field already exists in the datamodel (DM) so all you have to do is reference it. Do that by specifying the DM name and the field separated by a dot. For example, | table "Malware_Attacks.severity". Quotes are used to keep Splunk from treating this as two concatenated fields (since . is also the concatention operator). You can make life a little easier by using rename to remove the DM name so fields can be referenced directly.
| rename "Malware_Attacks.*" as *
| table severity
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | RichG |