Splunk Enterprise Security

ODBC connection problem with Splunk ES

swiebelhaus
Explorer

I'm trying to pull some data from Splunk Enterprise Security (ES). I have been using the Splunk ODBC to pull data from other saved searches on the Splunk cluster for years. I am doing the same thing but trying to use a search that's saved in the ES app, and I keep getting errors.

Is there something special I need to do within the ODBC driver settings, or the SQL query, to be able to connect specifically to the ES app rather than the search app?

0 Karma

swiebelhaus
Explorer

I am unable to save it as a global, due to security.
My previous saved searches, which do work via Splunk ODBC, are saved as private within an app (not ES). The difference here seems to be that ES is somehow different from other apps. Which is also why the search is saved within ES, it is using lookups which exist within ES.
As to data models, not quite sure how to apply that. What we are trying to do is export the notable events, along with a log of what the analysts did regarding the notable events, out to an external tool for reporting. ES keeps a lot of info in its internal lookup tables, this search is combining many of those to create this output.

0 Karma

Lazarix
Communicator

You may be able to solve this with Data Models in ES. You may need to make sure that the target ES data model is shared globally instead of just in the app.
You could also check to see if the saved searches you have in ES have their permissions set to global instead of just to App also, and that could solve your problem.

0 Karma

swiebelhaus
Explorer

Since it's security related data, it cannot be shared globally, it must be limited to the app. The saved searches are permission-ed to app, again, can't be global due to sensitivity of data.

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

Hi @swiebelhaus,

Sorry you haven't received any answers to your question. I'm sure help is on the way!

Have you figured this out on your own? If you keep us updated, you have a better chance of someone from the community answering your question.

But, in the mean time,If you want to try to get some immediate help for your question, you should join the 5000+ Splunk users in our public Slack Community chat. People ask each other for immediate help on there daily. You can share your question/link to your post there to see if anyone can take a stab at it.

You first have to request access through https://splk.it/slack Fill out the form, and once you receive the approval email from our Community Manager (usually the approval process may take a couple days), you can access Slack.com and ask for help in the #general channel.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!