Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk App for Enterprise Security: Is it possible to limit my search of the Intrusion Detection datamodel to only IPS events and exclude firewall events?

may_aaron
Engager
‎08-28-2015 12:08 PM

I want to create a single value chart to illustrate total intrusion detection events, however, I want to limit the results to our IPS threat events and exclude our firewall threat events. Is this possible to do this? Also, are there any good resources for understanding the datamodel search syntax? I've reviewed the Splunk documentation, but I didn't find it very helpful.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎08-31-2015 04:31 PM

Certainly; you could modify the data model itself to include a base-level filter string (like "sourcetype=my_ips_sourcetype") in the base event filter. Not recommended, but possible. Note that in future versions of ES, you'll be able to easily provide (with UI workflow) a list of indexes to consider. In this way, you could constrain the model to only search the index where the IDS / IPS data live, and ignore the firewall index.

Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top