I've been looking at the installation process of Splunk CIM and got stuck on a step.
After installation there seems to be a need to whitelist indexes for datamodels (or vice versa). I realize this can be done pretty easily through the GUI though normally the configuration is handled centrally.
Having come up empty looking through the content of the app/package, is it possible to specify index whitelists for particular datamodels in any conf file that I may have missed?
Thank you very much @smurf. I was planning to start editing the GUI and tracking filechanges to pinpoint the right one though this does look like the right spot for whitelisting:
[cim_Endpoint_indexes] definition = ()
While technically a second question (sorry) do you know the format for definition? Is it just CSV
[cim_Endpoint_indexes] definition = (index1, index2)
Definition of a macro is the search itself. So it could look something like this:
definition = (index=index1 OR index=index2)
You can find more details in the macros.conf spec macros.conf - Splunk Documentation