#
Update Splunk Index
Danger, Will Robinson
Failure to update the index to the correct setting will cause no devices to be available in Splunk Enterprise Security.
The index definition is set by a search macro.
Update the index definition to the correct index that contains the sentinelone:channel:agents sourcetype.
#
How to update
- (In Splunk Enterprise Security) Navigate to Configure > General > General Settings.
- From the "App" dropdown select
SA-SentinelOneDevices. - Update the SA-SentinelOneDevices Index definition and click "Save."
- Navigate to Settings > Advanced Search > Search Macros.
- From the "App" dropdown choose
SA-SentinelOneDevices. - Set the "Owner" dropdown to
any. - Click the macro named
sa_sentinelone_indexto update the index definition.