Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Get data into the app

Each Splunk App for Enterprise Security data source needs to be added with the correct predefined source type so that the Splunk App for Enterprise Security knows which technology created the event (and how it must be processed). You also need to select how the data is sent to the Splunk indexer.

Add data sources

Use Splunk's data inputs to get data into Splunk for Enterprise Security. To enable sources and ensure the data is categorized correctly for the Splunk App for Enterprise Security, take the following into consideration:

  • Identify each class of data you want to get into Splunk (each vendor, product, and type of data to be imported).
  • Find the Technology Add-on for that data source and perform any necessary configuration, as described in the README file included with an Add-on. The README also states the source type assignment required to classify data from that technology. For a list of recognized data formats see the "Out of box source types" section in the Data Source Integration manual.
  • Configure your device to send data through Splunk Forwarders.

See "Add-ons and data inputs" for information on how to get data into Splunk for Enterprise Security using add-ons. You can create add-ons to get data from additional sources. See the Data Source Integration manual for information.

Configure device to send data

Configure the device to send the data to the port you defined. The port and protocol must match the data input you defined in Splunk for that source type. Consult the documentation for your device for more information.

Verify source types

Once the data is configured, you can verify the data is being handled correctly by searching for the source type in the Enterprise Security dashboards. For example, if you added Juniper Netscreen data, you would perform the following search to confirm that the events exist:

sourcetype="netscreen:firewall"

If you do not see any data then check the following:

  • Verify the data input has the correct source type. To do this, click Settings in the top right of Splunk Web, then select Data Inputs. Select the type of data input you defined (TCP, UDP, etc.) then select your input and make sure that the source type field is correct.
  • Verify that data from the device is present within Splunk. You can do this by running a search that lists all of the devices that are providing data to Splunk and checking that the device you configured is in the list. Below is a search that lists all of the devices providing events to Splunk:

| metasearch |stats values(sourcetype) as sourcetype by host

Last modified on 30 April, 2014
 

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters