Configuration¶
Having installed the app for the first time, navigate to the Configure Indexes and Collections dashboard underneath the Configure dropdown menu on the navigation bar. It should look like this:
Indexes¶
The dashboard will instruct on the indexes that are required for the app to function, unlike in previous versions where these indexes were pre-defined (indicator_index and scoring_index), from version 2.0 onwards the application utilises search macros which need to be defined as indexes present on the Splunk instance:
- indicator_index - the index used to store output of behavioral indicator searches.
- scoring_index - the index used to store output of anomaly scoring rules.
The dashboard will advise on whether the index macros are defined or missing and what the current retention settings are. If the app is being installed for the first time they will NOT be defined.
Creating new indexes on Single Instance Splunk Deployments¶
Index definitions may be created using the indexes page in Splunk Cloud, but should usually be deployed using configuration files in Splunk Enterprise, both methods are outlined here.
Creating new indexes on Distributed Splunk Deployments¶
Deploying indexes in a distributed environment has different implications which are discussed at length in the Splunk docs.
Note that for either method on the configuration dashboard there is a link to a sample indexes.conf template for two example indexes.
Defining the search macros¶
Once indexes have been created, use the links on the dashboard to navigate to the search macro definitions. The only input required is the name of the index under the Definition field:
Collections¶
The dashboard will also instruct on the collections required by the app to store metadata associated with searches built by the user, they are:
- indicator_metadata
- scoring_search_metadata
By default these collections should be defined within the app. If the dashboard produces False for collection_is_defined investigate the default/collections.conf file in the app directory.