Skip Navigation

Configure the index

In accordance with
best practices, this application does not create an index by default (the app is not distributed with a
After installing this app, the
administrator should make sure the index is set up correctly. There are two scenarios:
Installing for the First Time
Immediately after installation, there will be no app-specific index, so you should create one using
Splunk Web > Settings > Indexes
. It is recommended to use the index name
: cylance_protect
Next, you should confirm in
Splunk Web > Settings > Event Types
that the entry cylance_index search string is
search = index=protect OR index=cylance_protect
This app uses eventtypes to drive the dashboard searches and a macro to define the index. Both can be checked using the
UI with the following: In
Splunk Web > Settings > Event Types
, the entry cylance_index search string is:
and the macro under
Splunk Web > Advanced Search > Search Macros
that search string is:
search = index=protect OR index=cylance_protect
In the case of an upgrade, there should be an existing index, and the existing config files in local should contain the correct name, and therefore no specific steps need to be taken.
It is recommended to check for any local files that may have been created for previous installations, as they will override defaults.
For example, the following local (default.xml) file will override any menus provided in new releases. Delete this file and restart the
search head to see any new menus and dashboards.
$SPLUNK_HOME/bin/splunk restart