Splunk® User Behavior Analytics

Install and Upgrade Splunk User Behavior Analytics

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.

Obtain a Splunk license for ingesting Splunk UBA logs

Splunk UBA logs sent to Splunk Enterprise have a source type of uba:*. A new Splunk license allows Splunk UBA logs to be ingested free of charge, up to 150GB per day. You can specify a new custom index to use instead of potentially overloading the default _internal index. Once the Splunk UBA logs are ingested by Splunk Enterprise, they can be used by the Splunk UBA Monitoring App. See About the Splunk UBA Monitoring app in the Splunk UBA Monitoring App manual.

Perform the following tasks to request and obtain the license, and change the Splunk UBA Monitoring App to use the new index:

  1. Begin by Contacting Splunk Support to request the new license. Specify the following:
    • Product: Splunk Enterprise
    • Area: Entitlement & Licensing
    • Feature: Licensing
    • Subject: Splunk Enterprise license for ingesting Splunk_UBA_logs
    • Description: Requesting license on Splunk Enterprise to ingest Splunk UBA Logs.
  2. Install the license on Splunk Enterprise. See Install a license in the Splunk Enterprise Installation manual.
  3. If you specify an indexer that does not already exist, create a new event index. See Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
  4. Perform the following tasks in Splunk UBA:
    1. On each node in your Splunk UBA deployment, specify the target index for each stanza in the /opt/splunk/etc/system/local/inputs.conf file. For example:
      index = new_index
    2. On the management node, run the following commands:
      /opt/caspida/bin/Caspida stop-splunk
      /opt/caspida/bin/Caspida start-splunk
      
  5. On the Splunk search head with the Splunk UBA Monitoring App installed, modify the search macro uba_index to point to the new index.
    1. From Splunk web, select Settings > Advanced search.
    2. Click Add new in the Search Macros field.
    3. Select Splunk_UBA_Monitor as the Destination App.
    4. Specify uba_index as the Name of the macro.
    5. Specify the name of the new index in the Definition field. For example:
      (index=new_index)

      If you want to keep the data in the existing _internal index along with the new index, use the following syntax:

      (index IN (_internal, new_index))
    6. Click Save.
Last modified on 24 June, 2020
License Splunk UBA   Request and add a new certificate to Splunk UBA to access the Splunk UBA web interface

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters