We are in the process of configuring Enterprise Security on our system. We don't have a lot of data sources so the only data we have that populates the "Web" data model is the stream:http source from the Splunk Stream app. This looks to be sufficient for most Web-related dashboards however the "New Domain Analysis" under "Web Intelligence" fails to populate at all. I've configured everything required to use the "whois_system" modular input for this dashboard, in the absence of a domaintools API subscription, however this has had no effect.
I've noticed that the searches tied to this dashboard appear to assume the data will have a full domain name for the Web.dest field, and that from looking at a demo-data sandbox version of ES this appears to be the case for the non-stream sources. However the stream:http source has the destination ip address for the Web.dest field. I think this is the problem, but even if not; is this perhaps a deviation from CIM-compliance that should be fixed in the stream app?
↧