Powered by

# Update Splunk Index

The index definition is set by a search macro.

Macro Default Description
sa_crowdstrike_index index=crowdstrike Index definition for CrowdStrike devices index.

Update the index definition to the correct index that contains the crowdstrike:device:json sourcetype.

# How to update

  1. (In Splunk Enterprise Security) Navigate to Configure > General > General Settings.
  2. From the "App" dropdown select SA-CrowdstrikeDevices.
  3. Update the SA-CrowdstrikeDevices Index definition and click "Save."
  1. Navigate to Settings > Advanced Search > Search Macros.
  2. From the "App" dropdown choose SA-CrowdstrikeDevices.
  3. Set the "Owner" dropdown to any.
  4. Click the macro named sa_crowdstrike_index to update the index definition.