Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Indexes

The Enterprise Security app utilizes a number of custom indexes for event storage. Custom indexes are defined in the indexes.conf in the SA* or TA* applications that comprise the complete Enterprise Security app.

  • In a single server deployment, the indexes will be defined and reside on the same instance. For an architectural overview, see the topic on "Single server deployments" in this manual.
  • In all other deployments, the indexes must be created on all Splunk Enterprise indexers, or search peers. For an architectural overview, see the topic on "Distributed search deployments" in this manual.

SA-ForIndexers

The Splunk App for Enterprise Security includes the sample app SA-ForIndexers with the collection of ES custom indexes as an example for deploying a common indexes.conf as an app. The sample app is available in an archive file contained in the Enterprise Security Install App. You will need server access to unzip the archive where the sample apps are stored.

  1. Unzip this file: SplunkEnterpriseSecuritySuiteInstaller/default/src/splunk_app_es-*.zip.
  2. After unzipping, the deployment-apps can be found at: SplunkEnterpriseSecuritySuiteInstaller/default/src/etc/deployment-apps.

The SA-ForIndexers sample app indexes.conf file should be used for reference only. It does not provide comprehensive examples to address:

  • Multiple storage paths
  • Accelerated data models
  • Data Retention
  • Bucket sizing
  • Use of volume parameters.

For detailed examples, see the indexes.conf.example topic in the Admin manual.

Indexes by SA

App context Indexes
SA-AccessProtection * access_summary
* access_summary2
SA-AuditAndDataProtection * audit_summary
* audit_summary2
SA-EndpointProtection * endpoint_summary
* endpoint_summary2
SA-IdentityManagement * session_start
* session_end
SA-ThreatIntelligence * The notable index contains the notable events.
* The notable_summary index contains a stats summary of notable events used on some dashboards.
* The risk index contains the risk modifier events.
SA-NetworkProtection * network_summary
* network_summary2
* network_summary3
* traffic_center_summary
* traffic_center_summary2
* whois
* proxy_center_summary
* proxy_center_summary2
Splunk_SA_CIM * cim_summary
Last modified on 14 April, 2015
Data models in the Enterprise Security app   List of reports by security domain

This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters