Hi Michael, It depends what you're looking for and your environment: you could just start with a few basic rules and dashboards (security or not) if you do not have much security background or are too busy. You might add ES later to have some more in depth view of your security, or add it at the beginning if you have enough people with security skills. Keep in mind you should go step after steps, and that even with ES, you will need to adapt it to your company and threats. ... View more

On way to do it is to go to your Splunk home directory and delete the custom files: /opt/splunk/etc/apps/Splunk_SA_CIM/default/data/models/xxx.json for datamodel /opt/splunk/etc/apps/xxx/local/data/ui/views/yyy.xml (or etc/users/ if they are private) for dashboards (you may use the find command if you do not know the apps they are belong too). And you need to restart Splunk after. ... View more

Hello, no this is not supported, and it will not work at all: Hadoop is too slow, lacks real time, and one of the strong capabilities of Splunk is the ability to collect more than logs (event registry changes, file info for IOC, network streams...). You will miss completly this with Splunk and Hadoop does not include by itself any way to collect data. However, ES can export old data from Splunk Enterprise to Hadoop (using Hunk) allowing to still have access to old raw logs (ES will use the accelerated datamodel for performance). This is supported. ... View more

First, make sure they are shared as global object. Second, ES only import objects from apps starting with TA_ Splunk_TA ... See here for more details: https://answers.splunk.com/answers/252035/how-to-make-url-toolbox-available-from-the-splunk.html ... View more

Hello, you will find more specific dashboards in apps focused on one kind of device, but it will be easy to import them in ES or add a customized version. Anyway, in a lot of cases, you will need at least TA from Cisco or F5 apps to load and normalize the data. I think you should ask the question in another way: what are your needs ? If you focus on security and already have a good security maturity, ES does the job. Other wise, try custom apps based on F5 and Cisco apps. ... View more

The datamodel, as used in the CIM standard (on which ES is based), does not depends on the indexes. So, unless you modify the underlying searches or add an index field to the datamodel, it is not possible. You'd better make sure that your data is not tagged to go in the datamodel. ... View more