hi all - we are starting to build our Splunk as our SIEM, and beginning to link and chain info together. we are setting up a few new indexes to store what i think should be collected or post processed data.
for instance - if i have a firewall event that has a new unseen public IP, i want to store some data from that event, as well as some new fields from lookups, iplocation command.
now if i use collect - it doesn't seem to do exactly what i want. i see collect saves the data, but it is in the original form - less any renames, evals, etc; ignoring the fields statement which outputs only select fields; and less any other implied things like CIM field aliases.
so my questions are?
1 - is using collect and a separate index the best to store this stuff? (we'd like to have one table of new / suspect IPs, 1 table of internal assets, etc) or is it best done into lookup tables / CSVs?
2 - should i expect the output of my commands piped into collect statement to match up mostly (excluded meta fields i understand) with the same output without the collect command?
... View more