Are you a member of the Splunk Community?
- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Splunk Enterprise Security: How to exclude indexes...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to exclude some indexes from authentication data model?
We have some indexes such as lastchanceindex, but eventtype was defined within Splunk_TA_nix.
Any clues?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The indexes to include in each data model are defined within the CIM app (Splunk_SA_CIM).
As an administrator, you can access the Common Information Model app under "Manage Apps" and then select "Setup" -- this takes you to a page that shows the data models configuration. The page address is:
https: //(URL of your Splunk deployment)/en-US/app/Splunk_SA_CIM/cim_setup?action=edit.
Each data model has an "Index Whitelist". By default, this whitelist is set to "All Indexes". You can restrict the data model in that field to only examine your desired indexes.
These whitelisted indexes are then referenced in the macros like cim_Authentication_indexes in the dataset definitions.
You can find more documentation on this here: https://docs.splunk.com/Documentation/CIM/latest/User/Setup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The indexes to include in each data model are defined within the CIM app (Splunk_SA_CIM).
As an administrator, you can access the Common Information Model app under "Manage Apps" and then select "Setup" -- this takes you to a page that shows the data models configuration. The page address is:
https: //(URL of your Splunk deployment)/en-US/app/Splunk_SA_CIM/cim_setup?action=edit.
Each data model has an "Index Whitelist". By default, this whitelist is set to "All Indexes". You can restrict the data model in that field to only examine your desired indexes.
These whitelisted indexes are then referenced in the macros like cim_Authentication_indexes in the dataset definitions.
You can find more documentation on this here: https://docs.splunk.com/Documentation/CIM/latest/User/Setup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you recommend to exclude the indexes from the the macro or other workarounds?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I really don't have a recommendation on 'exclusions'.
I don't know where those macros are referenced, but I would assume they're at the basis of the data model.
Definitely the datasets are established from them. Possibly, acceleration jobs leverage them, too.. Can't say for sure.
Unless you've got a solid reason to the contrary. I'd use the whitelist.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Each of the data models is created using a search string. The default for the Authentication DM is based on the macro cim_Authentication_indexes
Find the macro cim_Authentication_indexes, and modify it to include or exclude specific indexes.
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
