pagbabian-splunk
commented
9 months ago Are you talking about the sibling field action while the action_id enum is ok? If so, we would be violating the sibling name convention if we changed action to something else. Also, it would be a breaking change of 1.1 or we would need to deprecate it. Any confusion on this due to CIM Data Models might better be dealt with via a FAQ or separate mapping note.
ark2491
Although it is very straight forward to call action "Unknown/Allowed/Denied/Other" and i agree with it, the field action is already present in another Models (CIM) used by Splunk, and I think it may be a hard time to migrate use cases from people who use this field/values already. CIM itself does not really follow a strict standardized format for actions already, so i agree with the field/action_id requirement. But certain data types would be hard to migrate for legacy customers and datasets. Would it be possible to rename this to something slightly similar, and keep action_id as that makes sense as well. I'm open to discussion about this, as my goal is for people to adopt this schema, without conflicting with other use cases that data owners may have in production.