Monday, June 20, 2022

Splunk Configuration - create index

Splunk Configuration - create index:


How to create an index in Splunk:

  1. Go to Manager > Indexes > New

  2. Enter Index name


Define the data input to be put into the new index:

  1. Define sources by TCP or UDP port, must be unique to each index.

  2. Go to Manager > Indexes > Data Inputs > TCP or UDP > New

  3. Enter the port > select the source type > click “More setting” > define the Index for

        this source.


To open the port in the RedHat firewall:

  1. SSH to the server,

  2. Log in as root.

  3. Run the “system-config-firewall” command.

  4. Select “Customize”

  5. Select “Forward” until you get to the “Other Ports” screen.

  6. Select “Add”, enter the port number and “udp” in the “Protocol:” field, select “OK”

  7. Select “Close”

  8. Select “OK”

  9. Select “Yes” to activate your changes.


To secure users based on role:

  1. Go to Manager > Access Controls

  2. Add a new role

  3. In the “Indexes” section, select the indexes that this role is allowed to search.


To create a new user and assign a specific role:

  1. Go to Manager > Access Controls

  2. Add a new user

  3. Enter the username and password information

  4. In the “Assign to roles” section, add the appropriate role for this user.