Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Predictive Analytics dashboard

Configuration information on this page is currently a work in progress; expect frequent near-term updates.

The Predictive Analytics dashboard uses the predictive analysis functionality in Splunk to provide statistical information about the your search results and identify outliers in your data.


Choose the data model, object, function, attribute, and time range for your search. The graph shows probably results over time and a table displays individual events that fall outside of the predicted range.

Relevant data sources

Relevant data sources for this dashboard include searches generated by a data model and filtered to

How to configure this dashboard

1. Index relevant data sources from a device, application, or system in Splunk.

2. Map the data to the data models in your deployment. See the Common Information Model Add-on Manual for more information. The Common Information Model fields bunit and category are derived by automatic identity lookup, and do not need to be mapped directly.

Dashboard description

Predictive Analytics dashboard data is derived from the data model you select for your search, and accelerated automatically. To verify that authentication data is present, use this search:

 | datamodel <data_model_name> <object_object> search

To verify that events are being accelerated by the data model correctly, use this search (be careful not to search across all time):

 | tstats summariesonly=true count from datamodel=<data_model_name> by user

For more information on distributed namespaces, see "Verify that a data model namespace exists" in the troubleshooting section of this manual. See "Tscollect" and "Data Model" in the Splunk Search Reference Manual for more information about data models and namespaces.

Useful searches/Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your network device(s) sourcetype=<your_sourcetype_for_your_data> Returns data from your network device(s).
Verify that authentication data is normalized to the Common Information Model properly | datamodel <data_model_name> <object_name> search | table sourcetype action app src src_user dest user Returns a list of events and the specific access activity fields of data populated from your device(s)

Additional Information

For more information about using the Predictive Analytics dashboard, see "Predictive Analytics dashboard" in the Splunk App for Enterprise Security User Manual.

Last modified on 20 December, 2013
Incident Review dashboard
Event Investigator dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters