- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- WSOC App with more than one index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to use the Windows Security Operations Center (WSOC) app but My win. event logs or fragmented in many indexes. I use different indexes to keep track of different business segments and each segment keeps there windows events in there own index. I would like to pint the WSOC at all the indexes that have Win event logs. Can I do this with the configuration GUI and how?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The WSOC apps (v1.1) uses macros so you can change this easily.
Go to Manager -> Advanced search -> Search macros
You should see two macros used by the application:
windowsindex and windowssourcetype
Feel free to modify them so they include all your indexes. You can simply enter multiple indexes with the OR keyword in the windowsindex macro, for example:
index=myindex1 OR index=myindex2
This will make Splunk search through both indexes and the whole application should work automatically since all searches use this macro.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The WSOC apps (v1.1) uses macros so you can change this easily.
Go to Manager -> Advanced search -> Search macros
You should see two macros used by the application:
windowsindex and windowssourcetype
Feel free to modify them so they include all your indexes. You can simply enter multiple indexes with the OR keyword in the windowsindex macro, for example:
index=myindex1 OR index=myindex2
This will make Splunk search through both indexes and the whole application should work automatically since all searches use this macro.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What if one wants to search for more than one windowssourcetype?
I tried to do the same as you showed for the indexes and nothing seems to be happening from the change.
I'd like to add Application and System events as well.
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you are a lifesaver thanks so much this is what I was looking for.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did you try by adding your indexes :
Manager » Access controls » Roles » admin » Indexes searched by default
or using modifying the app WSOC searches and adding a macro
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes too many indexes to put in roles and I don't what to have to do this for all groups that need data. Can you point me or get me started on a "MACRO" that would work with this APP?
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
