Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security: How to exclude indexes from Authentication Data Model

lucas4394
Path Finder
‎08-27-2019 09:04 AM

How to exclude some indexes from authentication data model?

We have some indexes such as lastchanceindex, but eventtype was defined within Splunk_TA_nix.

Any clues?

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

memarshall63
Communicator
‎08-28-2019 07:20 PM

The indexes to include in each data model are defined within the CIM app (Splunk_SA_CIM).

As an administrator, you can access the Common Information Model app under "Manage Apps" and then select "Setup" -- this takes you to a page that shows the data models configuration. The page address is:

https: //(URL of your Splunk deployment)/en-US/app/Splunk_SA_CIM/cim_setup?action=edit.

Each data model has an "Index Whitelist". By default, this whitelist is set to "All Indexes". You can restrict the data model in that field to only examine your desired indexes.

These whitelisted indexes are then referenced in the macros like cim_Authentication_indexes in the dataset definitions.

You can find more documentation on this here: https://docs.splunk.com/Documentation/CIM/latest/User/Setup

View solution in original post

Reply
Solved! Jump to solution
Solution

memarshall63
Communicator
‎08-28-2019 07:20 PM

The indexes to include in each data model are defined within the CIM app (Splunk_SA_CIM).

As an administrator, you can access the Common Information Model app under "Manage Apps" and then select "Setup" -- this takes you to a page that shows the data models configuration. The page address is:

https: //(URL of your Splunk deployment)/en-US/app/Splunk_SA_CIM/cim_setup?action=edit.

Each data model has an "Index Whitelist". By default, this whitelist is set to "All Indexes". You can restrict the data model in that field to only examine your desired indexes.

These whitelisted indexes are then referenced in the macros like cim_Authentication_indexes in the dataset definitions.

You can find more documentation on this here: https://docs.splunk.com/Documentation/CIM/latest/User/Setup

Reply
Solved! Jump to solution

lucas4394
Path Finder
‎09-03-2019 02:22 PM

Do you recommend to exclude the indexes from the the macro or other workarounds?

0 Karma
Reply
Solved! Jump to solution

memarshall63
Communicator
‎09-03-2019 03:43 PM

I really don't have a recommendation on 'exclusions'.

I don't know where those macros are referenced, but I would assume they're at the basis of the data model.
Definitely the datasets are established from them. Possibly, acceleration jobs leverage them, too.. Can't say for sure.

Unless you've got a solid reason to the contrary. I'd use the whitelist.

0 Karma
Reply
Solved! Jump to solution

solarboyz1
Builder
‎08-27-2019 12:39 PM

Each of the data models is created using a search string. The default for the Authentication DM is based on the macro cim_Authentication_indexes

Find the macro cim_Authentication_indexes, and modify it to include or exclude specific indexes.

Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...