Powered by

# Update Splunk Index

The index definition is set by a search macro.

Macro Default Description
sa_aws_assets_index index=`aws-index-value` Index definition for AWS metadata index (sourcetype=aws:metadata).

# How to update

  1. (In Splunk Enterprise Security) Navigate to Configure > General > General Settings.
  2. From the "App" dropdown select SA-AwsAssets.
  3. Update the SA-AwsAssets Index definition and click "Save."
  1. Navigate to Settings > Advanced Search > Search Macros.
  2. From the "App" dropdown choose SA-AwsAssets.
  3. Set the "Owner" dropdown to any.
  4. Click the macro named sa_aws_assets_index to update the index definition.