Re: Splunk enterprise security input data

Prakhar_shukla · ‎04-26-2017

I have installed Splunk ES in SH cluster and search head as mentioned in docs. i have also installed add-on in which index-operation is true in indexers. However i am not clear what to do next. for example, when i am checking in SH > ES > Asset center or Identify master it is showing data which is in sample csv look up. there look up are in SH.

now suppose i need to create a dash board in ES > SH for monitoring authentication activity of admin user on all splunk servers. from where i need to specify thing/data. in forwarder or in SH>ES ? how flow of data work in this case.

i could not find any doc with such detail.

esix_splunk · ‎04-26-2017

You would create your dashboards, reports, correlation searches, inputs, alerts etc on the ES Search Head (SH.) But since you are using a Search Head Cluster (SHC), you do need to be aware that there are some configurations that you have to do in a dev environment, and then push via a deployer. (This is mainly modular inputs and threatlists..)

Prakhar_shukla · ‎04-26-2017

thanks for quick response.

but how about data input. from where exactly it comes. Like core splunk we use Forwarder to indexer > then search head. or directly to splunk instance where ES is installed?

Splunk enterprise security input data

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!