Customize lookups to detect data sources in your environment

Update the lookups in Splunk Security Essentials (SSE) so that these lookups can detect all data sources in your environment even if the default regex patterns in the lookups don't match your data sources.

Default regex patterns defined in the lookups match the source or sourcetype values in your indexed data. These default patterns match only the common add-on configurations. However, if your environment uses different values based on your installed add-ons and your data collection methods, SSE might not detect a data source that is available. You can update the lookup to match your environment so that all data sources can be detected.

Lookup fields to update

Each lookup entry has two key fields. Both these fields must match so that a data source can work end-to-end. Following are the two key fields that must be correctly matched:
  1. - regex_pattern: This field is matched against your data to detect if the data source is available. If this field doesn't match, SSE doesn't recognize the data source.
  2. - default_sourcetype_search: The SPL filter that is used in searches once the data source is confirmed. If this is incorrect, searches return no results even after the data source is detected.

Troubleshooting common issues with lookups

Following are some common issues that you can troubleshoot to update your lookups:
  1. Missing wildcard character: A source pattern such as source=WinEventLog:Application* misses the XmlWinEventLog variant. To remedy this, you can add a leading wildcard such as: source=*WinEventLog:Application* to the lookup.
  2. Incorrect field: Verify the regex_field column indicates the source or sourcetype to match the value that is set by your data.
  3. Sourcetype mismatch: Some add-ons produce a different sourcetype than the expected value for the default entry. Update both the regex_pattern and default_sourcetype_search to match.

Update the lookup

Use one of the following methods to update the lookup:

  1. Manual updates to the lookup file: Locate the lookup file and make the necessary changes manually. $SPLUNK_HOME/etc/apps/Splunk_Security_Essentials/lookups/
  2. Use the Splunk app for Lookup File Editor: Open the Splunk app for Lookup File Editor, select SSE-default-data-inventory-products.csv and edit the required rows such as update regex_pattern or default_sourcetype_search and save the changes.
Note: The Splunk app for Lookup file Editor provides a convenient method to make quick updates without accessing the filesystem. However, for long-term maintainability, you must maintain a separate customized copy of the lookup file. The lookup file is packaged with the app and gets overwritten when you upgrade SSE. Keep a record of your changes and reapply them after each upgrade.