Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security: How to exclude indexes from Authentication Data Model

lucas4394
Path Finder
‎08-27-2019 09:04 AM

How to exclude some indexes from authentication data model?

We have some indexes such as lastchanceindex, but eventtype was defined within Splunk_TA_nix.

Any clues?

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

memarshall63
Communicator
‎08-28-2019 07:20 PM

The indexes to include in each data model are defined within the CIM app (Splunk_SA_CIM).

As an administrator, you can access the Common Information Model app under "Manage Apps" and then select "Setup" -- this takes you to a page that shows the data models configuration. The page address is:

https: //(URL of your Splunk deployment)/en-US/app/Splunk_SA_CIM/cim_setup?action=edit.

Each data model has an "Index Whitelist". By default, this whitelist is set to "All Indexes". You can restrict the data model in that field to only examine your desired indexes.

These whitelisted indexes are then referenced in the macros like cim_Authentication_indexes in the dataset definitions.

You can find more documentation on this here: https://docs.splunk.com/Documentation/CIM/latest/User/Setup

View solution in original post

Reply
Solved! Jump to solution
Solution

memarshall63
Communicator
‎08-28-2019 07:20 PM

The indexes to include in each data model are defined within the CIM app (Splunk_SA_CIM).

As an administrator, you can access the Common Information Model app under "Manage Apps" and then select "Setup" -- this takes you to a page that shows the data models configuration. The page address is:

https: //(URL of your Splunk deployment)/en-US/app/Splunk_SA_CIM/cim_setup?action=edit.

Each data model has an "Index Whitelist". By default, this whitelist is set to "All Indexes". You can restrict the data model in that field to only examine your desired indexes.

These whitelisted indexes are then referenced in the macros like cim_Authentication_indexes in the dataset definitions.

You can find more documentation on this here: https://docs.splunk.com/Documentation/CIM/latest/User/Setup

Reply
Solved! Jump to solution

lucas4394
Path Finder
‎09-03-2019 02:22 PM

Do you recommend to exclude the indexes from the the macro or other workarounds?

0 Karma
Reply
Solved! Jump to solution

memarshall63
Communicator
‎09-03-2019 03:43 PM

I really don't have a recommendation on 'exclusions'.

I don't know where those macros are referenced, but I would assume they're at the basis of the data model.
Definitely the datasets are established from them. Possibly, acceleration jobs leverage them, too.. Can't say for sure.

Unless you've got a solid reason to the contrary. I'd use the whitelist.

0 Karma
Reply
Solved! Jump to solution

solarboyz1
Builder
‎08-27-2019 12:39 PM

Each of the data models is created using a search string. The default for the Authentication DM is based on the macro cim_Authentication_indexes

Find the macro cim_Authentication_indexes, and modify it to include or exclude specific indexes.

Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top