Splunk® App for PCI Compliance

Installation and Upgrade Manual

Download manual as PDF

Download topic as PDF

Configure and deploy indexes

Splunk App for PCI Compliance implements custom indexes for event storage. The indexes are defined across the apps provided with Splunk App for PCI Compliance.

  • In a single instance deployment, the installation of Enterprise Security creates the indexes in the default path for data storage.
  • In a Splunk Cloud deployment, customers work with Splunk Support to set up, manage, and maintain their cloud index parameters. See Manage Splunk Cloud indexes in the Splunk Cloud User Manual.
  • In a distributed deployment, create the indexes on all Splunk platform indexers or search peers.

Index configuration

The indexes defined in Splunk App for PCI Compliance do not provide configuration settings to address:

  • Multiple storage paths
  • Accelerated data models
  • Data retention
  • Bucket sizing
  • Use of volume parameters.

For detailed examples of configuring indexes, see indexes.conf.example in the Splunk Enterprise Admin Manual.

Indexes by app

App context Index Description
DA-ESS-ThreatIntelligence ioc Unused in this release.
threat_activity Contains events that result from a threat list match.
SA-EndpointProtection endpoint_summary Endpoint protection summary index.
SA-ThreatIntelligence notable Contains the notable events.
notable_summary Contains a stats summary of notable events used on select dashboards.
risk Contains the risk modifier events.
SA-NetworkProtection whois WHOIS data index.
Splunk_SA_CIM cim_summary Unused in this release.
cim_modactions Contains the adaptive response action events.
Splunk_SA_ExtremeSearch xtreme_contexts Contains the contexts for Extreme search.

Add-ons can include custom indexes defined in an indexes.conf file.

Index deployment

Splunk App for PCI Compliance includes a tool to gather the indexes.conf and index-time props.conf and transforms.conf settings from all enabled apps and add-ons on the search head and assemble them into one add-on. For more details, see Determine which add-ons to deploy on indexers in this manual.

PREVIOUS
Customize the menu bar in Splunk App for PCI Compliance
  NEXT
Configure users and roles

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters