I have installed a splunk enterprise trial and also requested Splunk Enterprise Security. I noticed that when I try a simple search "fail* password" in both platform, the fields that available are different. In Splunk Enterprise Security, the fields "dest, src, user" are being shown. I would like to ask is these fields are being known to splunk after installing Splunk Enterprise Security ?
The Splunk Enterprise Security App installs several security-specific apps and configured inputs. The idea is to make it (Common Information Model) CIM-compliant. The Common Information Model (SplunkSACIM) is one of the apps that is installed. Those fields (dest, src, user) are part of that app.