Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Enable All Splunk Enterprise Security Features

mgalos
New Member
‎01-21-2019 03:08 PM

I am trying to use Splunk ES searches and summaries but i'm not sure where to start or what logs are required.
My main issues are with the Splunk Domains and Splunk intelligence.

I had initially assumed that ingesting the basic win event logs, linux syslog, and cisco ios snmp should be enough data to populate most of the fields making it work out of the box, but it seems that I must be missing something.

I have mostly set up the assets and identities (though our AD objects aren't sorted by business unit, priority, or category making it pretty useless).

Have I missed a step in configuring ES, or is there more granular documentation/walkthrough about what logs and data it needs to work properly? I have looked through the ES install and admin guide and am still left with many questions.

0 Karma
Reply

woodcock
Esteemed Legend
‎01-21-2019 05:15 PM

Check out this Q&A ( UpVotes appreciated):
https://answers.splunk.com/answers/691198/how-can-i-see-what-searchesstories-from-es-content.html#an...

Reply

mgalos
New Member
‎01-22-2019 07:20 AM

I will have to look over this script and give it a try. It looks interesting though.

is it basically searching indexes for compatible sourcetypes, datamodels, contentupdate, and CIM?

0 Karma
Reply

woodcock
Esteemed Legend
‎01-22-2019 07:53 AM

Yes, it is doing all the cross-referencing for you.

0 Karma
Reply

att35
Builder
‎01-21-2019 04:51 PM

Hi mgalos,

As per my understanding, tags define what ES searches/dashboards/datamodels can see. Apart from having correct tags, the data should be normalized as per CIM(https://docs.splunk.com/Documentation/CIM/4.12.0/User/Overview#Why_the_CIM_exists), which means that field names need to follow a certain format(Usually for commonly used data sources like Windows Events, the TA's accompanying ES should do this for you).

Once the tags are in place and ES can see fields as per CIM, data should start populating. You can get more details on CIM ,data models and their respective Tag/field requirements here. https://docs.splunk.com/Documentation/CIM/4.12.0/User/Howtousethesereferencetables

To search data from a sourcetype against a specific Data Model, use the following search:

| datamodel Authentication search | search sourcetype=WinEventLogs

Try this with your Windows Logs against Alert and Authentication datamodels and see if you get any data.

0 Karma
Reply

mgalos
New Member
‎01-22-2019 07:16 AM

I am using Splunk TA apps for nix, windows, and added one for cisco.

The syslog for nix Is rfc5424 for most logs and basic winevent logs.

I will definitely take a look through the tags though and see if I can discover any discrepencies.

I assume there is something I'm not enabling or configuring correctly but the documentation isn't very particular about the features.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...