I am trying to use Splunk ES searches and summaries but i'm not sure where to start or what logs are required.
My main issues are with the Splunk Domains and Splunk intelligence.
I had initially assumed that ingesting the basic win event logs, linux syslog, and cisco ios snmp should be enough data to populate most of the fields making it work out of the box, but it seems that I must be missing something.
I have mostly set up the assets and identities (though our AD objects aren't sorted by business unit, priority, or category making it pretty useless).
Have I missed a step in configuring ES, or is there more granular documentation/walkthrough about what logs and data it needs to work properly? I have looked through the ES install and admin guide and am still left with many questions.
Check out this Q&A ( UpVotes
appreciated):
https://answers.splunk.com/answers/691198/how-can-i-see-what-searchesstories-from-es-content.html#an...
I will have to look over this script and give it a try. It looks interesting though.
is it basically searching indexes for compatible sourcetypes, datamodels, contentupdate, and CIM?
Yes, it is doing all the cross-referencing for you.
Hi mgalos,
As per my understanding, tags define what ES searches/dashboards/datamodels can see. Apart from having correct tags, the data should be normalized as per CIM(https://docs.splunk.com/Documentation/CIM/4.12.0/User/Overview#Why_the_CIM_exists), which means that field names need to follow a certain format(Usually for commonly used data sources like Windows Events, the TA's accompanying ES should do this for you).
Once the tags are in place and ES can see fields as per CIM, data should start populating. You can get more details on CIM ,data models and their respective Tag/field requirements here. https://docs.splunk.com/Documentation/CIM/4.12.0/User/Howtousethesereferencetables
To search data from a sourcetype against a specific Data Model, use the following search:
| datamodel Authentication search | search sourcetype=WinEventLogs
Try this with your Windows Logs against Alert and Authentication datamodels and see if you get any data.
I am using Splunk TA apps for nix, windows, and added one for cisco.
The syslog for nix Is rfc5424 for most logs and basic winevent logs.
I will definitely take a look through the tags though and see if I can discover any discrepencies.
I assume there is something I'm not enabling or configuring correctly but the documentation isn't very particular about the features.