Splunk Enterprise Security

Splunk Enterprise Security

kkkelvinkk
New Member

Hi,

I have installed a splunk enterprise trial and also requested Splunk Enterprise Security. I noticed that when I try a simple search "fail* password" in both platform, the fields that available are different. In Splunk Enterprise Security, the fields "dest, src, user" are being shown. I would like to ask is these fields are being known to splunk after installing Splunk Enterprise Security ?
Thanks all.

0 Karma
1 Solution

sfefcu
Path Finder

The Splunk Enterprise Security App installs several security-specific apps and configured inputs. The idea is to make it (Common Information Model) CIM-compliant. The Common Information Model (Splunk_SA_CIM) is one of the apps that is installed. Those fields (dest, src, user) are part of that app.

View solution in original post

0 Karma

kkkelvinkk
New Member

Thanks. I have installed the CIM, but CIM alone sms did not extract those fields. I also install Splunk Add-on for Unix and Linux and the fields are available now.

0 Karma

sfefcu
Path Finder

The Splunk Enterprise Security App installs several security-specific apps and configured inputs. The idea is to make it (Common Information Model) CIM-compliant. The Common Information Model (Splunk_SA_CIM) is one of the apps that is installed. Those fields (dest, src, user) are part of that app.

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...