Splunk Enterprise Security

Splunk enterprise security input data

Prakhar_shukla
Path Finder

I have installed Splunk ES in SH cluster and search head as mentioned in docs. i have also installed add-on in which index-operation is true in indexers. However i am not clear what to do next. for example, when i am checking in SH > ES > Asset center or Identify master it is showing data which is in sample csv look up. there look up are in SH.

now suppose i need to create a dash board in ES > SH for monitoring authentication activity of admin user on all splunk servers. from where i need to specify thing/data. in forwarder or in SH>ES ? how flow of data work in this case.

i could not find any doc with such detail.

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

You would create your dashboards, reports, correlation searches, inputs, alerts etc on the ES Search Head (SH.) But since you are using a Search Head Cluster (SHC), you do need to be aware that there are some configurations that you have to do in a dev environment, and then push via a deployer. (This is mainly modular inputs and threatlists..)

0 Karma

Prakhar_shukla
Path Finder

thanks for quick response.

but how about data input. from where exactly it comes. Like core splunk we use Forwarder to indexer > then search head. or directly to splunk instance where ES is installed?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...