Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Enterprise Security APP Indexers mapping

ahmedhassanean
Explorer
‎10-01-2016 09:22 AM

Dears,

i would like to know how can i choose which index i forward data to it from my devices

for example if i would like to ingrate Active Directory Cisco Juniper Logs

which index i should choose from default indexes that came with Security Enterprise APP

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎10-01-2016 02:37 PM

ES doesn't require data to be in a particular index in order to be searchable. Instead, ES performs it searches using data-models (based on tags), as opposed to looking for data in particular indexes. This was done so that you could put your data in whatever indexes you like.

Put your data in a separate index when you want:

  1. To restrict access to the index (prevent certain people from searching it)
  2. To apply different retention policies (for example, put data you want to keep for 30 days in a different index than data you want to keep around for 90 days)

The key to getting ES to see you data is making sure that:

  1. The data you are ingesting has the correct sourcetype (matches what the TA expects, for example, making sure that your Juniper Netscreen data is sourcetyped "netscreen:firewall")
  2. You have the correct TAs deployed to handle that given data (you have "Splunk Add-on for Juniper" installed)

View solution in original post

Reply
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎10-01-2016 02:37 PM

ES doesn't require data to be in a particular index in order to be searchable. Instead, ES performs it searches using data-models (based on tags), as opposed to looking for data in particular indexes. This was done so that you could put your data in whatever indexes you like.

Put your data in a separate index when you want:

  1. To restrict access to the index (prevent certain people from searching it)
  2. To apply different retention policies (for example, put data you want to keep for 30 days in a different index than data you want to keep around for 90 days)

The key to getting ES to see you data is making sure that:

  1. The data you are ingesting has the correct sourcetype (matches what the TA expects, for example, making sure that your Juniper Netscreen data is sourcetyped "netscreen:firewall")
  2. You have the correct TAs deployed to handle that given data (you have "Splunk Add-on for Juniper" installed)
Reply
Solved! Jump to solution

koshyk
Super Champion
‎10-01-2016 10:37 AM

I wouldn't choose any default indexes. You need to plan your index names inline with your organisation structure. Eg if my company is Amazon, then my index names would be like
amz_os_windows, amz_os_linux, amz_network_cisco, amz_network_juniper etc

So in future if u want to give access for network team/role u can give amz_network* to that roke

0 Karma
Reply
Solved! Jump to solution

ahmedhassanean
Explorer
‎10-01-2016 11:50 AM

you are talking about default index name in case there is no APP but the case here is that Security APP has default indexers and we must insert data in Correct Indexer to be able for dashboards to populate Data

0 Karma
Reply
Solved! Jump to solution

koshyk
Super Champion
‎10-01-2016 11:57 AM

The data still can be in u specified indexes. All you need to make is to use CIM standards and accurate sourcetype and ES will take them automatically

0 Karma
Reply
Solved! Jump to solution

ahmedhassanean
Explorer
‎10-01-2016 12:10 PM

So why are there default Indexes in Enterprise Security?

0 Karma
Reply
Solved! Jump to solution

ekost
Splunk Employee
Splunk Employee
‎10-05-2016 09:25 AM

The indexes that ship with ES are created for internal use, and may be provided for supporting legacy installations that have upgraded from prior releases. As an example, when a notable event is generated by a correlation search, the results are written to the 'notable' index before being displayed in the Incident Review dashboard.

0 Karma
Reply
Solved! Jump to solution

ahmedhassanean
Explorer
‎10-01-2016 03:56 PM

Many thanks for your support

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...