Indexes
The Enterprise Security app utilizes a number of custom indexes for event storage. Custom indexes are defined in the indexes.conf
in the SA* or TA* applications that comprise the complete Enterprise Security app.
- In a single server deployment, the indexes will be defined and reside on the same instance. For an architectural overview, see the topic on "Single server deployments" in this manual.
- In all other deployments, the indexes must be created on all Splunk Enterprise indexers, or search peers. For an architectural overview, see the topic on "Distributed search deployments" in this manual.
SA-ForIndexers
The Splunk App for Enterprise Security includes the sample app SA-ForIndexers
with the collection of ES custom indexes as an example for deploying a common indexes.conf
as an app. The sample app is available in an archive file contained in the Enterprise Security Install App. You will need server access to unzip the archive where the sample apps are stored.
- Unzip this file:
SplunkEnterpriseSecuritySuiteInstaller/default/src/splunk_app_es-*.zip
. - After unzipping, the deployment-apps can be found at:
SplunkEnterpriseSecuritySuiteInstaller/default/src/etc/deployment-apps
.
- Unzip this file:
The SA-ForIndexers
sample app indexes.conf
file should be used for reference only. It does not provide comprehensive examples to address:
- Multiple storage paths
- Accelerated data models
- Data Retention
- Bucket sizing
- Use of volume parameters.
For detailed examples, see the indexes.conf.example
topic in the Admin manual.
Indexes by SA
App context | Indexes |
---|---|
SA-AccessProtection | * access_summary * access_summary2 |
SA-AuditAndDataProtection | * audit_summary * audit_summary2 |
SA-EndpointProtection | * endpoint_summary * endpoint_summary2 |
SA-IdentityManagement | * session_start * session_end |
SA-ThreatIntelligence | * The notable index contains the notable events. * The notable_summary index contains a stats summary of notable events used on some dashboards. * The risk index contains the risk modifier events.
|
SA-NetworkProtection | * network_summary * network_summary2 * network_summary3 * traffic_center_summary * traffic_center_summary2 * whois * proxy_center_summary * proxy_center_summary2 |
Splunk_SA_CIM | * cim_summary |
Data models in the Enterprise Security app | List of reports by security domain |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2
Feedback submitted, thanks!