Splunk® User Behavior Analytics Monitoring App

Splunk UBA Monitoring App

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics Monitoring App. For documentation on the most recent version, go to the latest release.

Send Splunk UBA logs to a custom index on Splunk Enterprise

You can specify a custom index to use instead of potentially overloading the default _internal index. Once the Splunk UBA logs are ingested by Splunk Enterprise, they can be used by the Splunk UBA Monitoring App.

Send Splunk UBA logs to a custom index for new Splunk UBA installations

Perform the following tasks to send Splunk UBA logs to a custom index on Splunk Enterprise:

  1. Begin by Contacting Splunk Support to request the Splunk license for ingesting Splunk UBA logs. See Obtain a Splunk license for ingesting Splunk UBA logs in Install and Configure Splunk User Behavior Analytics.
  2. Perform the following tasks on the Splunk UBA master node:
    1. Add the splunk.forwarder.server.index.name property to the /etc/caspida/local/conf/uba-site.properties file and set it to the name of The Splunk UBA index. For example: 
      splunk.forwarder.server.index.name=ubaindex
      If you specify an index name that does not already exist, create a new event index. See Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
    2. Synchronize the cluster in distributed deployments. Run the following command: 
      /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
    3. Run the following command to switch the index for all forwarders from the default _internal index to the new index, such as ubaindex in our example: 
      /opt/caspida/bin/Caspida switch-splunk-index
  3. On the Splunk search head with the Splunk UBA Monitoring App installed, modify the search macro uba_index to point to the new index.
    1. From Splunk web, select Settings > Advanced search.
    2. Click Add new in the Search Macros field.
    3. Select Splunk_UBA_Monitor as the Destination App.
    4. Specify uba_index as the Name of the macro.
    5. Specify the name of the new index in the Definition field. For example: 
      (index=ubaindex)

      If you want to keep the data in the existing _internal index along with the new index, use the following syntax: 

      (index IN (_internal, ubaindex))
    6. Click Save.

Perform additional setup on Splunk Enterprise when upgrading the Splunk UBA Monitoring App

If you are upgrading the Splunk UBA Monitoring App on Splunk Enterprise to the latest version, you will see a window indicating additional setup is required to complete the upgrade. Perform the following tasks:

  1. Click Set up now to set up the new version of the Splunk UBA Monitoring App.
  2. Update the macro for The Splunk UBA index. The default is (index=_internal). To add a custom index called ubaindex, change the macro to the following: 
    (index=_internal OR index=ubaindex)
    Keep _internal so that all existing data prior to the upgrade is preserved for continuity.
  3. Click Save.
Last modified on 22 October, 2020
Enable Splunk UBA to forward data to Splunk Enterprise   Send all logs to Splunk Enterprise

This documentation applies to the following versions of Splunk® User Behavior Analytics Monitoring App: 1.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters