- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I was able to get counteract module to forward data using "web_event" sourcetype. However, all the data resides in the "main" index. Does anyone have any tips on how to change the index for the data being forwarded by counteract integration module?
Thanks,
Tung
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured it out.
In the counteract policy for Splunk, edit the condition. Under the "HTTP Request" tab for the "DEX Send Web..." action add the index name.
Original:
https://[IP]:[port]/services/receivers/simple?source=CounterACT&sourcetype=web_event
Changed index:
https://[IP]:[port]/services/receivers/simple?index=counteract&source=CounterACT&sourcetype=web_event
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured it out.
In the counteract policy for Splunk, edit the condition. Under the "HTTP Request" tab for the "DEX Send Web..." action add the index name.
Original:
https://[IP]:[port]/services/receivers/simple?source=CounterACT&sourcetype=web_event
Changed index:
https://[IP]:[port]/services/receivers/simple?index=counteract&source=CounterACT&sourcetype=web_event
