Splunk Enterprise Security

Splunk enterprise security input data

Prakhar_shukla
Path Finder

I have installed Splunk ES in SH cluster and search head as mentioned in docs. i have also installed add-on in which index-operation is true in indexers. However i am not clear what to do next. for example, when i am checking in SH > ES > Asset center or Identify master it is showing data which is in sample csv look up. there look up are in SH.

now suppose i need to create a dash board in ES > SH for monitoring authentication activity of admin user on all splunk servers. from where i need to specify thing/data. in forwarder or in SH>ES ? how flow of data work in this case.

i could not find any doc with such detail.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

You would create your dashboards, reports, correlation searches, inputs, alerts etc on the ES Search Head (SH.) But since you are using a Search Head Cluster (SHC), you do need to be aware that there are some configurations that you have to do in a dev environment, and then push via a deployer. (This is mainly modular inputs and threatlists..)

0 Karma

Prakhar_shukla
Path Finder

thanks for quick response.

but how about data input. from where exactly it comes. Like core splunk we use Forwarder to indexer > then search head. or directly to splunk instance where ES is installed?

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...