Splunk Enterprise Security

Splunk Enterprise Security: How to exclude indexes from Authentication Data Model

lucas4394
Path Finder

How to exclude some indexes from authentication data model?

We have some indexes such as lastchanceindex, but eventtype was defined within Splunk_TA_nix.

Any clues?

Thanks.

0 Karma
1 Solution

memarshall63
Communicator

The indexes to include in each data model are defined within the CIM app (Splunk_SA_CIM).

As an administrator, you can access the Common Information Model app under "Manage Apps" and then select "Setup" -- this takes you to a page that shows the data models configuration. The page address is:

https: //(URL of your Splunk deployment)/en-US/app/Splunk_SA_CIM/cim_setup?action=edit.

Each data model has an "Index Whitelist". By default, this whitelist is set to "All Indexes". You can restrict the data model in that field to only examine your desired indexes.

These whitelisted indexes are then referenced in the macros like cim_Authentication_indexes in the dataset definitions.

You can find more documentation on this here: https://docs.splunk.com/Documentation/CIM/latest/User/Setup

View solution in original post

memarshall63
Communicator

The indexes to include in each data model are defined within the CIM app (Splunk_SA_CIM).

As an administrator, you can access the Common Information Model app under "Manage Apps" and then select "Setup" -- this takes you to a page that shows the data models configuration. The page address is:

https: //(URL of your Splunk deployment)/en-US/app/Splunk_SA_CIM/cim_setup?action=edit.

Each data model has an "Index Whitelist". By default, this whitelist is set to "All Indexes". You can restrict the data model in that field to only examine your desired indexes.

These whitelisted indexes are then referenced in the macros like cim_Authentication_indexes in the dataset definitions.

You can find more documentation on this here: https://docs.splunk.com/Documentation/CIM/latest/User/Setup

lucas4394
Path Finder

Do you recommend to exclude the indexes from the the macro or other workarounds?

0 Karma

memarshall63
Communicator

I really don't have a recommendation on 'exclusions'.

I don't know where those macros are referenced, but I would assume they're at the basis of the data model.
Definitely the datasets are established from them. Possibly, acceleration jobs leverage them, too.. Can't say for sure.

Unless you've got a solid reason to the contrary. I'd use the whitelist.

0 Karma

solarboyz1
Builder

Each of the data models is created using a search string. The default for the Authentication DM is based on the macro cim_Authentication_indexes

Find the macro cim_Authentication_indexes, and modify it to include or exclude specific indexes.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...