Skip to content

Splunk

Chronicle supports ingesting log data from Splunk. Splunk queries are created that can be targeted to pull specific logs into a Chronicle Forwarder. The queries are run on a configurable time interval to pull current data into Chronicle.

Requirements

  • Chronicle Forwarder

Query Examples

Using Splunk's Query Language, identify queries which will data from choice data sources.

Windows Security Log

Log type: WINEVTLOG

search index=wineventlog source="WinEventLog:Security

Windows System Log

Log type: WINEVTLOG

search index=wineventlog source="WinEventLog:System”

Windows Defender

Log type: WINDOWS_DEFENDER_ATP

search index=wineventlog source="WinEventLog:Microsoft-Windows-Windows Defender/Operational"

Windows DHCP

Log type: WINDOWS_DHCP

search index=wineventlog sourcetype=dhcpsrvlog

Gather Information

  • Splunk API user - credentials for a Splunk user with access to the Search API