DocumentationAPI ReferenceRelease Notes
Log In
Documentation

Splunk

Suggest Edits

Splunk Enterprise is a data collection service that indexes events from a variety of sources. Splunk Enterprise can be used to capture and report on events from Endpoint Privilege Management.

Prerequisites

The following versions of Splunk Enterprise and Endpoint Privilege Management Reporting are supported:

  • Splunk Enterprise 6.5 or later
  • Endpoint Privilege Management Reporting 4.5 or later

Forward Endpoint Privilege Management events into Splunk Enterprise

Splunk Enterprise allows you to collect BeyondTrust events two different ways. This guide covers:

  • From your endpoints or from your Windows Event Collector node using the Splunk Universal Forwarder. This approach is useful if you are collecting Windows event log events from multiple sources including Endpoint Privilege Management, or if you are not using the Endpoint Privilege Management Reporting database.
  • Importing events from the Endpoint Privilege Management Reporting database using Splunk DB Connect. This approach can be used with Endpoint Privilege Management Reporting database version 4.5 or later deployed with any of our management platforms. With this approach you do not need to deploy further agents to your endpoints.

📘

For more information, see the following:

Install the Splunk Universal Forwarder

Install the Splunk DB Connect Application

Data quantity

Typically, a well configured Endpoint Privilege Management endpoint generates about fifteen to twenty events per endpoint each day. This is highly dependent on configuration and can be significantly higher.

  • For DB Connect, set the Execution Frequency to a period of at least one minute. We recommend every five minutes as a reasonable default. The cron style setup allows updates at quiet times (for example, overnight) if timely delivery to Splunk is less important than conserving network bandwidth or database server resources.
  • For DB Connect, the Fetch Size in the database connections can remain as the default (300).
  • The Max rows to retrieve can be configured to limit load (for example, after an outage). Setting the value as unlimited is recommended (0 or blank). This ensures all the data is collected and the Splunk server does not fall behind, which can occur if this value is set too low.
  • Data held in the Reporting database is deduplicated. This can be beneficial if you have a tiered approach to your event collection as you can use the rising column value to assist with batch processing.

You can also filter the data when you query it so you only import what you need using DB Connect.

📘

For more information, see Work with Data in Splunk Enterprise.

Updated 3 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.