Stay organized with collections
Save and categorize content based on your preferences.
Change log for SPLUNK
Date
Changes
2024-05-01
Update the mapping for deprecated UDM field.
2023-11-29
- Aligned "principal/target.hostname" and "principal/target.asset.hostname" mapping.
- Modified logic to map "security_result.action_details" UDM field even if the values of "action" raw log field does not match the logic.
2023-05-17
Added "auth.type" for login events.
2023-01-04
- Handled error and changed mapping for "Authentication" datamodel, if "user_id" variable is empty then "user" variable will be mapped to "principal.user.userid". Also, event_type is now mapped to USER_LOGIN.
- Handled unparsed log for "Endpoint" datamodel.
- Modified mapping for "Change" datamodel. The "user" field is mapped to "target.user.user.userid", the "user_name" field is mapped to principal.user.user_display_name for tag `change` and `account`, the "src_user" field is mapped to principal.user.userid. Also, event_type is mapped to "USER_UNCATEGORIZED".
- Modified mapping for the fields "result" and "result_id" in the "Change" datamodel to metadata.description and metadata.product_event_type.
- Changed mapping for the "Network Traffic" datamodel. If "user_id" variable is empty then the "user" variable is mapped to "principal.user.userid".
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-06 UTC."],[[["The change log details updates to field mappings and logic for various Unified Data Model (UDM) fields within SPLUNK."],["Updates include modifications to \"principal/target.hostname\", \"security_result.action_details\", and several fields within the \"Authentication\", \"Endpoint\", \"Change\", and \"Network Traffic\" data models."],["New fields, such as \"auth.type\" for login events, have been added."],["Error handling has been improved, specifically for cases where the \"user_id\" variable is empty."],["A new parser has been created."]]],[]]
