Configure macros in the Splunk Security App for SAP solutions
The Splunk Security App for SAP® solutions ships with a configured macro that serves as the basis from which the six app dashboards operate. The macro has these default configurations:
- Macro name:
sap_etd_alerts_index - Definition:
index="main" - Index: main
If you manage inputs from the add-on rather than the app, or if you are using any index for your SAP data other than the main index or another default index you set for your environment, add those inputs or indexes to the macro definition.
If the SAP Enterprise Threat Detection (ETD) data is flowing into an index other than the main index, follow the steps to reconfigure the macro.
Reconfigure the macro
To change the macro definition, perform the following steps on all search heads:
- Navigate to Settings and then to Advanced search.
- Select Search macros.
- In the App drop-down list, select Splunk Security App for SAP solutions (splunk_app_sap_etd_alerts).
- Set the drop-down lists next to Owner to Any and Created in App.
- Select sap_etd_alerts_index. This opens the definition page of
sap_etd_alerts_index. - In Definition, change the index to the name of the index where SAP ETD data is flowing in. For example, if the SAP ETD data is flowing into the index named sap_etd, the definition is
index=sap_etd. - Select Save to save changes.
| Install the Splunk Security App for SAP solutions | Dashboards included with the Splunk Security App for SAP solutions |
This documentation applies to the following versions of Splunk® Security App for SAP® solutions: 1.0.0
Download manual
Feedback submitted, thanks!