Splunk UBA Monitoring app requirements
Review and validate the requirements before using the Splunk UBA Monitoring app.
Splunk UBA and Splunk Enterprise compatibility
The Splunk UBA Monitoring app requires the following combination of Splunk UBA with Splunk Enterprise:
Splunk UBA Version | Splunk Enterprise Version |
---|---|
Splunk UBA 4.3.0 and later | Splunk Enterprise 7.0 or later |
The Splunk UBA Monitoring app is not supported on Splunk Cloud.
Configure where the Splunk UBA Monitoring app sends data
By default, the Splunk UBA Monitoring app forwards data to the _internal
index on Splunk Enterprise. Users of the Splunk UBA Monitoring app must have read access to the _internal
index in order to see any data when using the app. Users with the admin
role have this permission by default. Non-admin users can be granted this access by qualified admin
users. See About users and roles in the Splunk Enterprise Admin Manual.
Splunk UBA release 5.0.0 and later provide the option to send data to Splunk Enterprise using sourcetype uba:*
instead of _internal
. You must contact your Splunk support representative to obtain a new Splunk license for ingesting Splunk UBA logs free of charge. See Obtain a Splunk license for ingesting Splunk UBA logs in Install and Upgrade Splunk User Behavior Analytics.
Enable the receiver in Splunk Enterprise
The forwarder on Splunk UBA connects to the Splunk Enterprise receiver on port 9997 by default. The receiver on Splunk Enterprise must be enabled to receive data from the forwarder on Splunk UBA. See Enable a receiver in the Splunk Enterprise Forwarding Data manual.
PREVIOUS About the Splunk UBA Monitoring app |
NEXT Install the Splunk UBA Monitoring App |
This documentation applies to the following versions of Splunk® User Behavior Analytics Monitoring App: 1.0.0
Feedback submitted, thanks!