Splunk Enterprise Security

Splunk enterprise security input data

Prakhar_shukla
Path Finder

I have installed Splunk ES in SH cluster and search head as mentioned in docs. i have also installed add-on in which index-operation is true in indexers. However i am not clear what to do next. for example, when i am checking in SH > ES > Asset center or Identify master it is showing data which is in sample csv look up. there look up are in SH.

now suppose i need to create a dash board in ES > SH for monitoring authentication activity of admin user on all splunk servers. from where i need to specify thing/data. in forwarder or in SH>ES ? how flow of data work in this case.

i could not find any doc with such detail.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

You would create your dashboards, reports, correlation searches, inputs, alerts etc on the ES Search Head (SH.) But since you are using a Search Head Cluster (SHC), you do need to be aware that there are some configurations that you have to do in a dev environment, and then push via a deployer. (This is mainly modular inputs and threatlists..)

0 Karma

Prakhar_shukla
Path Finder

thanks for quick response.

but how about data input. from where exactly it comes. Like core splunk we use Forwarder to indexer > then search head. or directly to splunk instance where ES is installed?

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...