Splunk

After the Splunk connection is set up in EPM-L, events are collected and can be viewed using the unified search feature.

Settings

siemcreddb

The name of the database file in which the Splunk credentials will be stored. The default is

/opt/pbul/dbs/pbsiemcred.db

siemcafile

The name of the optional Certificate Authority file used to initiate a secure HTTPS connection to the Splunk Enterprise or Cloud instance. There is no default value.

siemcertfile

The name of the optional certificate file used in a secure HTTPS connection. There is no default value.

siemkeyfile

The name of the optional key file used in a secure HTTPS connection. There is also no default value.

siemdeliverytimeout

This is used to specify the CURLOPT_TIMEOUT value, in seconds, associated with a libcurl-based connection to a Splunk instance. The default is 30.

sieminstances

One or more IDs to which events and IO logs will be delivered:

sieminstances cloud

siemdatatypes

Specify eventlog, iolog or both:

siemdatatypes eventlog iolog

siemoptions

Specify bulk insert options batchsize and usebulkapi, e.g.,

siemdoptions batchsize=10 usebulkapi

Note that usebulkapi, if included, specifies whether to forward multiple records in a single send that the message router failed to transfer initially. If usebulkapi is specified, then batchsize (default is 10), specifies the number of records that should be included in that send. Also note that siemoptions is not set by default.

siemiologfieldsizekb

Used to specify, in kilobytes, the amount of IO log data to send within a single part, via the IO log part mechanism for sending large IO logs in multiple parts to a destination. The default is 1024, and the range is from 8 to 65536.

siemiologfieldsizekb 1024

siemiologfieldsizekb 1024