Configure the index Skip Navigation

Configure the index

In accordance with
Splunk
best practices, this application does not create an index by default (the app is not distributed with a
./default/indexes.conf
file).
After installing this app, the
Splunk
administrator should make sure the index is set up correctly. There are two scenarios:
Installing for the First Time
Immediately after installation, there will be no app-specific index, so you should create one using
Splunk Web > Settings > Indexes
. It is recommended to use the index name
: cylance_protect
.
Next, you should confirm in
Splunk Web > Settings > Event Types
that the entry cylance_index search string is
search = index=protect OR index=cylance_protect
.
This app uses eventtypes to drive the dashboard searches and a macro to define the index. Both can be checked using the
Splunk
UI with the following: In
Splunk Web > Settings > Event Types
, the entry cylance_index search string is:
cylance_index
and the macro under
Splunk Web > Advanced Search > Search Macros
that search string is:
search = index=protect OR index=cylance_protect
.
Upgrading
In the case of an upgrade, there should be an existing index, and the existing config files in local should contain the correct name, and therefore no specific steps need to be taken.
It is recommended to check for any local files that may have been created for previous installations, as they will override defaults.
For example, the following local (default.xml) file will override any menus provided in new releases. Delete this file and restart the
Splunk
search head to see any new menus and dashboards.
$SPLUNK_HOME/etc/apps/cylance_protect/local/data/ui/nav/default.xml
$SPLUNK_HOME/bin/splunk restart