Solved: Splunk Enterprise Security

kkkelvinkk · ‎04-06-2017

Hi,

I have installed a splunk enterprise trial and also requested Splunk Enterprise Security. I noticed that when I try a simple search "fail* password" in both platform, the fields that available are different. In Splunk Enterprise Security, the fields "dest, src, user" are being shown. I would like to ask is these fields are being known to splunk after installing Splunk Enterprise Security ?
Thanks all.

sfefcu · ‎04-07-2017

The Splunk Enterprise Security App installs several security-specific apps and configured inputs. The idea is to make it (Common Information Model) CIM-compliant. The Common Information Model (Splunk_SA_CIM) is one of the apps that is installed. Those fields (dest, src, user) are part of that app.

View solution in original post

kkkelvinkk · ‎04-07-2017

Thanks. I have installed the CIM, but CIM alone sms did not extract those fields. I also install Splunk Add-on for Unix and Linux and the fields are available now.

sfefcu · ‎04-07-2017

The Splunk Enterprise Security App installs several security-specific apps and configured inputs. The idea is to make it (Common Information Model) CIM-compliant. The Common Information Model (Splunk_SA_CIM) is one of the apps that is installed. Those fields (dest, src, user) are part of that app.

Splunk Enterprise Security

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!