All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

look elsewhere for data

tnorth42
Explorer
‎02-23-2018 02:06 PM

The searches in security splunk essentials point to a default source of wineventlog:security, can we change to point to a different source or index?

Reply

David
Splunk Employee
Splunk Employee
‎02-23-2018 02:13 PM

Yes (ish)! Assuming you're running Version 2.0.0 (released yesterday), you can turn on Advanced SPL mode (click the "Show SPL" link to access) to manually change the criteria for any given search you're looking at. Every search should be using index=*, so you shouldn't need to worry about the index itself. (If there are any exceptions, I'll get them fixed in the next bug release.)

If you want to change it on a global level (e.g., "we always use sourcetype=abc for our Windows Security Logs") then I actually do have some thoughts of maybe being able to support that in the future, but it's probably still a ways out -- first I've got to get through the things I wasn't able to fit into my 2.0.0 release timeline. There is a workaround though: you can edit the json files in /components/data/sampleSearches/*.json to specify your alternate sourcetype.. it will be overwritten at the next upgrade, but it's a workaround for now.

I would be curious to know the specifics of what sourcetypes you have for Windows Security logs that are not wineventlog:security. If it's xmlwineventlog:security -- that one I'm definitely going to fix in the relatively near future. If it's something else entirely, I'd love to hear what you're doing. (I can email you directly as well, if you'd prefer.)

0 Karma
Reply

smallfry
Explorer
‎10-10-2018 06:28 AM

Hey David. First of all, thanks for the App. It's very useful. I tried v2.2.0 of the app but realized that we need to edit the json files. For instance, the firewall logs by default is for Palo Alto while we are using a mixture of Cisco and Fortinet. If you next release can incorporate a set up or settings interface, it woud be perfect!

0 Karma
Reply

tnorth42
Explorer
‎02-23-2018 02:30 PM

Thank you!

0 Karma
Reply

tnorth42
Explorer
‎02-23-2018 02:19 PM

Awesome, we just installed 2.0 today. We will edit the json as suggested above. We have a subscription pushed out through GPO to all of our windows systems that send their data to 2 windows event collectors, from there we are utilizing splunk universal forwarder and all events are coming in with source="WinEventLog:ForwardedEvents".

0 Karma
Reply

David
Splunk Employee
Splunk Employee
‎02-23-2018 02:24 PM

Ahhh, interesting! That wasn't on my roadmap, but as I sketch out the design for that feature, I'll make sure forwardedevents are in scope.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...