超级会员免费看
现在导入各种Splunk 的数据到UBA 中,有些是没有tag 这个field 的,这个时候,就要人为的创造一个tag,字段来让UBA 认识,接受这个数据,那么问题来了:这个tag 要怎么设置呢?
看了一下资料:
The tags in the table have an implied AND and are evaluated as follows:
-
Categories that require a single tag such as Authentication will evaluate based on that tag. For example, authentication events must have
tag=authenticationto be parsed by Splunk UBA. Splunk UBA generates error messages when the percentage of valid events drops below a specific threshold. -
Categories with multiple tags such as DHCP have an implied AND among the tags, and are evaluated using a combination of all tags. For example, DHCP events must have all three of
tag=network, tag=session, tag=dhcpto be parsed by Splunk UBA. Splunk UBA generates error messages when the combined percentage of valid events falls below a specific threshold.
订阅专栏 解锁全文
557
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
