Splunk Enterprise Security

Sourcetype naming and indexs help!!

ewonn
New Member

Hi guys,
I am working as security analyst and I monitor many customers using splunk I usally deal with incidents that created by somone higher than me and then investigate them but now am trying to learn threat hunting with splunk and found a lot of great queries that can help but I ran into few questions that confused me and hoping to find answers here
Every customer we have has different index names and sourcetypes like for example if i want run a query than has index=auditd and sourcetype=fgt_traffic. And this query will not work for every splunk that i want to search into because I dont know what index has like web logs or what firewall is in what sourcetype. How can I know what index and what sourcetype Names and if they named it a name that doesn’t match what it does how can I know what kind of logs in this sourcetype or index?

My other question is. I know that XmlwineventLog and wineventlog have logs for events that happened but what if i want to see logs for linux what sourcetype would that be?

Thank you all

0 Karma

woodcock
Esteemed Legend

All of this should be normalized with the Common Information Model app which has a bunch of macros called CIM_*_indexes. These should tell you where your stuff is. You can also use |datamodel and |from datamodel.

0 Karma

to4kawa
Ultra Champion
|tstats count where index=* sourcetype=* by index sourcetype
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...