Hey splunk>answers,
As the title suggests I'm not sure what or how I should go about any of this. The long story short:
1) Universal Forwarder on a local syslog server. Monitors the syslog files that are created.
2) Splunk server listens for the universal forwarder. Then splunk works its magic to for searching and indexing of the data.
3) I also have the common information model app installed for practice and testing.
Where I'm stuck is with this:
How does the common information model help me when transforming, indexing, and searching Syslog and (hopefully active directory data).
How can properly identify interesting fields in Syslog. I have it identified as Syslog traffic. And in splunk I see the Time column and the Event column. I'm wondering if there are ways I can drill that data down even further.
Appreciate any advice as always,
tentontitan
... View more