Splunk Enterprise Security
Highlighted

Splunk Enterprise Security

New Member

Hi,

I have installed a splunk enterprise trial and also requested Splunk Enterprise Security. I noticed that when I try a simple search "fail* password" in both platform, the fields that available are different. In Splunk Enterprise Security, the fields "dest, src, user" are being shown. I would like to ask is these fields are being known to splunk after installing Splunk Enterprise Security ?
Thanks all.

0 Karma
Highlighted

Re: Splunk Enterprise Security

Path Finder

The Splunk Enterprise Security App installs several security-specific apps and configured inputs. The idea is to make it (Common Information Model) CIM-compliant. The Common Information Model (SplunkSACIM) is one of the apps that is installed. Those fields (dest, src, user) are part of that app.

View solution in original post

0 Karma
Highlighted

Re: Splunk Enterprise Security

New Member

Thanks. I have installed the CIM, but CIM alone sms did not extract those fields. I also install Splunk Add-on for Unix and Linux and the fields are available now.

0 Karma