Thanks MCronkrite!
I'm not sure if Splunk totally changed my topic, but my question direction was changed.
I reviewed the other DLP add-ons that Splunk has created and supported, more in particular the RSA DLP application (https://splunkbase.splunk.com/app/2956/) and they all look to be using the alerts data model for DLP. They state in the description that it's good for use in Splunk applications, including ES.
So I mocked up my DLP machine data to comply with that data model and I'm wondering where should it populate in ES? Is there a swimlane that it should go to?
Thanks!
... View more