Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security: How to exclude indexes from Authentication Data Model

lucas4394
Path Finder
‎08-27-2019 09:04 AM

How to exclude some indexes from authentication data model?

We have some indexes such as lastchanceindex, but eventtype was defined within Splunk_TA_nix.

Any clues?

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

memarshall63
Communicator
‎08-28-2019 07:20 PM

The indexes to include in each data model are defined within the CIM app (Splunk_SA_CIM).

As an administrator, you can access the Common Information Model app under "Manage Apps" and then select "Setup" -- this takes you to a page that shows the data models configuration. The page address is:

https: //(URL of your Splunk deployment)/en-US/app/Splunk_SA_CIM/cim_setup?action=edit.

Each data model has an "Index Whitelist". By default, this whitelist is set to "All Indexes". You can restrict the data model in that field to only examine your desired indexes.

These whitelisted indexes are then referenced in the macros like cim_Authentication_indexes in the dataset definitions.

You can find more documentation on this here: https://docs.splunk.com/Documentation/CIM/latest/User/Setup

View solution in original post

Reply
Solved! Jump to solution
Solution

memarshall63
Communicator
‎08-28-2019 07:20 PM

The indexes to include in each data model are defined within the CIM app (Splunk_SA_CIM).

As an administrator, you can access the Common Information Model app under "Manage Apps" and then select "Setup" -- this takes you to a page that shows the data models configuration. The page address is:

https: //(URL of your Splunk deployment)/en-US/app/Splunk_SA_CIM/cim_setup?action=edit.

Each data model has an "Index Whitelist". By default, this whitelist is set to "All Indexes". You can restrict the data model in that field to only examine your desired indexes.

These whitelisted indexes are then referenced in the macros like cim_Authentication_indexes in the dataset definitions.

You can find more documentation on this here: https://docs.splunk.com/Documentation/CIM/latest/User/Setup

Reply
Solved! Jump to solution

lucas4394
Path Finder
‎09-03-2019 02:22 PM

Do you recommend to exclude the indexes from the the macro or other workarounds?

0 Karma
Reply
Solved! Jump to solution

memarshall63
Communicator
‎09-03-2019 03:43 PM

I really don't have a recommendation on 'exclusions'.

I don't know where those macros are referenced, but I would assume they're at the basis of the data model.
Definitely the datasets are established from them. Possibly, acceleration jobs leverage them, too.. Can't say for sure.

Unless you've got a solid reason to the contrary. I'd use the whitelist.

0 Karma
Reply
Solved! Jump to solution

solarboyz1
Builder
‎08-27-2019 12:39 PM

Each of the data models is created using a search string. The default for the Authentication DM is based on the macro cim_Authentication_indexes

Find the macro cim_Authentication_indexes, and modify it to include or exclude specific indexes.

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...