Splunk's documentation theme seems to be "you need to have first done the thing before the documentation makes any sense", this approach is infuriating. Documents contain no images to keep you on track, no detailed explanation of what needs to be done, and too many references to external sources. I can't actually learn anything from a single page of Splunk documentation it is truly some of the worst writing I have ever encountered. I have read the docs you supplied that is why I am here. What I'm missing is, what do I do now? How do I test it? Do I have to install this on a forwarder vs the search head? How do I know it works, can I prove to my supervisor that this product has value?
... View more
I'm new to splunk but I have used other SIEM but they have all been on-prem so I could actually manage the product from start to finish. I opened a ticket to have the add-on installed and that was finished this morning, but I have no idea what to do now. I did some googling and searching here but a lot of the material I found doesn't look like what I'm seeing so I wanted to see if anyone here had similar issues or knows of any documentation I can read through that is you found helpful. There is also the chance that I am misunderstanding what an add-on does.
For reference I had these three add-ons installed:
Splunk Common Information Model
Splunk Add-on for Cisco ASA
Splunk Add-on for Microsoft Active Directory
Splunk Add-on for Microsoft Windows
... View more