I want to use the Windows Security Operations Center (WSOC) app but My win. event logs or fragmented in many indexes. I use different indexes to keep track of different business segments and each segment keeps there windows events in there own index. I would like to pint the WSOC at all the indexes that have Win event logs. Can I do this with the configuration GUI and how?
The WSOC apps (v1.1) uses macros so you can change this easily.
Go to Manager -> Advanced search -> Search macros
You should see two macros used by the application:
windowsindex and windowssourcetype
Feel free to modify them so they include all your indexes. You can simply enter multiple indexes with the OR keyword in the windowsindex macro, for example:
index=myindex1 OR index=myindex2
This will make Splunk search through both indexes and the whole application should work automatically since all searches use this macro.
The WSOC apps (v1.1) uses macros so you can change this easily.
Go to Manager -> Advanced search -> Search macros
You should see two macros used by the application:
windowsindex and windowssourcetype
Feel free to modify them so they include all your indexes. You can simply enter multiple indexes with the OR keyword in the windowsindex macro, for example:
index=myindex1 OR index=myindex2
This will make Splunk search through both indexes and the whole application should work automatically since all searches use this macro.
What if one wants to search for more than one windowssourcetype?
I tried to do the same as you showed for the indexes and nothing seems to be happening from the change.
I'd like to add Application and System events as well.
Any ideas?
you are a lifesaver thanks so much this is what I was looking for.
did you try by adding your indexes :
Manager » Access controls » Roles » admin » Indexes searched by default
or using modifying the app WSOC searches and adding a macro
yes too many indexes to put in roles and I don't what to have to do this for all groups that need data. Can you point me or get me started on a "MACRO" that would work with this APP?