Sourcetype naming and indexs help!!

ewonn · ‎03-18-2020

Hi guys,
I am working as security analyst and I monitor many customers using splunk I usally deal with incidents that created by somone higher than me and then investigate them but now am trying to learn threat hunting with splunk and found a lot of great queries that can help but I ran into few questions that confused me and hoping to find answers here
Every customer we have has different index names and sourcetypes like for example if i want run a query than has index=auditd and sourcetype=fgt_traffic. And this query will not work for every splunk that i want to search into because I dont know what index has like web logs or what firewall is in what sourcetype. How can I know what index and what sourcetype Names and if they named it a name that doesn’t match what it does how can I know what kind of logs in this sourcetype or index?

My other question is. I know that XmlwineventLog and wineventlog have logs for events that happened but what if i want to see logs for linux what sourcetype would that be?

Thank you all

woodcock · ‎03-18-2020

All of this should be normalized with the Common Information Model app which has a bunch of macros called CIM_*_indexes. These should tell you where your stuff is. You can also use |datamodel and |from datamodel.

to4kawa · ‎03-18-2020

|tstats count where index=* sourcetype=* by index sourcetype

Sourcetype naming and indexs help!!

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio