Configure an event index
The data that
Splunk
processes resides in an index. Splunk
does not create an index by default, so you must set up an event index after you install the CylancePROTECT
Application for Splunk
. An event index can hold any type of data. - If you want to install theCylancePROTECTApplication forSplunkmanually, see Install the CylancePROTECT Application for Splunk manually.
- InSplunk, on the menu bar, clickSettings>Indexes>New Index.
- In theNew Indexdialogue box, fill in the fields.We recommend you use cylance_protect as the index name. If you use a custom index name, the eventtype=cylance_index must be modified to accept the custom index name.
- ClickSave.
- On the menu bar, clickSettings>Event Typesto confirm that the search string appears asindex=protect OR index=Cylance_protect.
- InSettings, clickAdvanced Search>Search Macrosand confirm that the search string appears asindex=protect OR index=Cylance_protect.When you upgrade yourSplunkenvironment, there should be an existing index, and the existing configuration files in local should contain the correct file name. In some cases, local files that may have been created for previous installations (for example, files that contain default.xml) will override menus added in the new release. To correct this, either delete the local file or restart theSplunksearch head using the$SPLUNK_HOME/bin/splunk restartcommand.