Direct answer to this question is not a low-hanging fruit.
The list of datamodels used in ESS can be referred here - http://dev.splunk.com/view/enterprise-security/SP-CAAAFBM
And the 'tag' details corresponding to the each datamodel can be referred here (click on each datamodel to see tag details) - https://docs.splunk.com/Documentation/CIM/latest/User/Overview
First of all, ES
does not "use tags", it uses the CIM
which does "use tags".
As far as investigating the CIM's use of tags and the data that you have in Splunk, the best tool that you can use is CIM Validator
here:
https://github.com/hire-vladimir/SA-cim_vladiator
Direct answer to this question is not a low-hanging fruit.
The list of datamodels used in ESS can be referred here - http://dev.splunk.com/view/enterprise-security/SP-CAAAFBM
And the 'tag' details corresponding to the each datamodel can be referred here (click on each datamodel to see tag details) - https://docs.splunk.com/Documentation/CIM/latest/User/Overview
Nice, tag=authentication
shows me the data but tag=web
doesn't, even though we have web data.
index=* tag=web
does work. So, why do we need in some case the index=*
part? and in others it's not needed.
Can you accept the answer if it's helpful?
Ok, the admin user doesn't have all the indexes in the default set of indexes ...
You are right. For performance reasons it's not wiser to set 'Indexes searched by default' to search all indexes.