This sample query displays all the events from Pulse Policy Secure based on Pulse Profiler classification of endpoints. You can click the down arrow to view the event extract details. Index=pulsesecure sourcetype=ppssyslogportparser |where Server_Ip in ("10.xx.xx.xx")| where eventtype = "Pulse_元_Auth" | rename user as BGR-Users realm as BGR-Realm roles as BGR-Roles time as "Login Time" src as "Endpoint IP" agent as "Agent Type" eventtype as "Pulse Login Type" Agent_Version as "PDC Version"|table BGR-Users BGR-Realm BGR-Roles "Endpoint IP" "Login Time" "Agent Type" "PDC Version" "Pulse Login Type" This sample query displays all the events from Pulse Policy Secure for user login using Pulse Client. You can click the down arrow to view the role change events and additional fields from syslog data.Įxample 2: Pulse Login Query for 元 agent login Index=pulsesecure sourcetype=ppssyslogportparser |where Server_Ip in ("PPS8881") | where eventtype in ("Admission_Control_Action_Role_Change") | rename realm as Realm time as "Signed-in time" src as "Endpoint IP address" eventtype as "Admission Control Action" | table Username Realm "Signed-in time" "Updated_Roles" "Endpoint IP address" "Admission Control Action" For example, src field from the sylog can be changed to Endpoint IP address. You can customize the Splunk search query as per your requirement. This sample query displays all the events from Pulse Policy Secure for Admission Control role change based on the selected time frame. Example 1: Sample Query for Admission Control You can select multiple PPS IP address/host name for querying from multiple PPS servers.Ĥ.Press Enter. For example, index=pulsesecure sourcetype=ppssyslogportparser. To see the data logged by Pulse Policy Secure:ġ.Under App: Search & Reporting, select the Search tab.ģ.Enter the index query.
The additional data that comes in can use this newly created index with better search functionality.Ģ.Create a new Index. We can create a new index with desired size by the data that is stored in Splunk. Indexing is a mechanism to speed up the search process by giving numeric addresses to the piece of data being searched. Checking this will overwrite the app if already exists option.ĥ.After installation, PulsePolicySecure Syslog-Add-On for Splunk appears in the App section with Splunk App version 1.0.0.
#Splunk dedup install#
To configure the Pulse Policy Secure syslog Add-On:Ģ.In the Splunk Enterprise Dashboard, select the Admin tab > Manage Apps.Ĥ.Click Browse and upload the TA_pulse_policy_secure_syslog_addon_1.0.0.tar.gz file to install the Pulse Secure Syslog Add-On for Splunk.įor upgrading the existing Pulse Policy Secure app, select the upgrade app.
#Splunk dedup software#
Configuring Splunk Install Pulse Policy Secure Syslog Add-On for Splunkĭownload the TA_pulse_policy_secure_syslog_addon_1.0.0.tar.gz file from Pulse Secure software downloads location and install them onto your Splunk server.
0 kommentar(er)
