Configure macros in the Splunk App for Splunk Attack Analyzer
The Splunk App for Splunk Attack Analyzer ships with a configured macro that serves as the basis from which the app dashboards operate. The macro has these default configurations:
- Macro name:
saa_indexes - Definition:
index="main" - Index: main
If you manage inputs from the add-on rather than the app, or if you are using any index for your Splunk Attack Analyzer data other than the main index or another default index you set for your environment, add those inputs or indexes to the macro definition.
If the Splunk Attack Analyzer data is flowing into an index other than the main index, follow the steps to reconfigure the macro.
Reconfigure the macro
To change the macro definition, perform the following steps on all search heads:
- Navigate to Settings and then to Advanced search.
- Select Search macros.
- From the list of apps, select Splunk App for Splunk Attack Analyzer (saa_indexes).
- Set the list by Owner to Any and Created in App.
- Select saa_indexes. This opens the definition page of
saa_indexes. - In Definition, change the index to the name of the index where Splunk Attack Analyzer data is flowing in. For example, if the Splunk Attack Analyzer data is flowing into the index named saa, the definition is
index=saa. - Select Save to save your changes.
| Install the Splunk App for Splunk Attack Analyzer | Dashboards included with the Splunk App for Splunk Attack Analyzer |
This documentation applies to the following versions of Splunk® App for Splunk Attack Analyzer: 1.0.0, 1.1.0, 1.1.1, 1.2.0
Download manual
Feedback submitted, thanks!