Getting Data In

Whats the best practice to break the windows events?


Hi All,

We have 2 Domains, all the windows events are going to wineventlog and windows and perfmon indexes. If I break these Indexes to winventlog_domain1 and wineventlog_domain2 and deploy modified Add-ons to the hosts. Will it break anything? we use Splunk app for windows infrastructure and Enterprise Security? Any Suggestions how to achieve it?

Tags (2)
0 Karma

Super Champion

ES works on datamodels and datamodel in turn works on tags and eventtypes.
So the relationship is something like
Datamodel -> tags -> eventtypes -> props/transforms

"Index" is just a holding area and doesn't contribute to the functionality. The ONLY thing you need to consider is in Datamodel (acceleration) there is a provision of selecting Indexes. By default it scans all indexes, but sometimes customers configure to use only certain index. Ensure your new indexes are included

How we do is
- naming convention for all indexes ( mycompany_network_firewall, mycompany_os_windows etc)
- Include all key indexes to the datamodels
- Permission and groups are created based on above naming conventions

Afterward use the Splunk official Windows Addon and it will do all the magic of field extractions , tagging, datamodels etc.

0 Karma

Ultra Champion

i am commenting only as i would like confirmation form others here but i am pretty positive it is a valid answer.
I think you are safe there, the ES works on data models and tags among other knowledge objects and as long as the fields are extracted correctly from the data, there not supposed to be a problem.
regarding the app for Win Inf, i think you are also good there, if my memory is good, all searches, reports, eventtypes, macros and more tied to a sourcetype and not to an index.
with that being said, i would add the new indexes as searched by default to the relevant roles in ES, Win Inf, and Splunk
hope it helps

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...