- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Define user field in Security Essentials
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Define user field in Security Essentials
I have added Security Essentials on my indexer and the Splunk_TA_windows app on the forwarders however when i run the First Time Logon to New Server query I get
'You should have a field called "user" defined in your Windows Security logs. This is provided by the Splunk TA for Windows. Consider adding that TA to make for a better experience!'
How do I define fields? Does this add-on change the user_logon field from the security event log to user for cim or something?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You actually need to have the "Splunk Add-on for Microsoft Windows" installed on your Searcheads/Indexers.
https://splunkbase.splunk.com/app/742/
This will configure all of the necessary field extractions in order to allow those searches to run, and as you have noted formats the data inline with the Splunk Common Information Model
When you install the TA on an indexer/SH you don't need to configure anything, simply install and restart when prompted.
Sidenote: Best practices says that ideally you remove the inputs.conf/eventgen.conf/sample data when installing to Production, but not strictly necessary.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to setup the inputs.conf for the Splunk_TA_windows app.
https://docs.splunk.com/Documentation/WindowsAddOn/4.8.4/User/Configuration
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tnorth42 - I have inputs.conf set up. Which specific stanza in the inputs.conf file needs to be enabled?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same problem for me. Apparently the user field is not extracted correctly in Splunk 7.03 when the AD server OS is in a foreign laguage, in my casi spanish
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately I am not sure exactly which one does it, i do know that after enabling all it was showing up. can you tag this with "Splunk Security Essentials", the developer usually replies back very quickly.
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
