Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

High Performance Analytics Store namespaces

The Splunk App for Enterprise Security creates High Performance Analytics Store namespaces to store summary statistical data from accelerated data models. This information is used by dashboards and correlation searches throughout the app.

Namespace details

This table shows a namespace and its attributes, including the searches that populate the namespace, the search macro used to identify the data that will be stored in the namespace, the fields of information stored, and the suggested retention period for the data.

sa_host_meta

Namespace Location (SA-*) Generating Search
Search Schedule 		Data Source
(search macro) 		Fields Suggested Retention Period
sa_host_meta SA-AuditAndDataProtection Audit - Host Event Count over Time - TSIDX Gen

25 4,16 * * *

metasearch index=* sourcetype!=stash _time, host*, tag, count 365 days

Legend

Fields with an (*) include a number of other fields. These fields include: 

host* == host,host_bunit,host_category,host_pci_domain
dest* == dest,dest_bunit,dest_category,dest_pci_domain
dvc* == dvc,dvc_bunit,dvc_category,dvc_pci_domain
src* == src,src_bunit,src_category,src_pci_domain

src_user* == src_user,src_user_bunit,src_user_category
user* == user,user_bunit,user_category

Namespace retention

The limit for the length of time that namespaces are retained ("namespace retention time") is specified in the $SPLUNK_HOME/etc/apps/<add-on>/default/tsidx_retention.conf file. The recommended retention times are not enforced in code out-of-the-box; they are commented out.

To apply the recommended settings, un-comment the retention settings in your local copy (local/tsidx_retention.conf) of the file and save it.

For example:

Out of the box, the $SPLUNK_HOME/etc/apps/SA-Utils/default/tsidx_retention.conf file looks like this: 

[sa_traffic]
 ## 90 days
 #retentionTimePeriodInSecs = 7776000

Confgure the retention time in the "local" version - $SPLUNK_HOME/etc/apps/SA-Utils/local/tsidx_retention.conf - like this: 

[sa_traffic]
# 90 days
retentionTimePeriodInSecs = 7776000

You can also set the retention span to a different value (in seconds).

Edit the local/tsidx_retention.conf file in each of the add-ons where you want to modify the TSIDX namespace retention time. The namespaces in your deployment will be "cleaned up" (purged) whenever these settings are reached.

Deprecated namespaces and data models

Data models now generate and store information previously handled by tsidx searches and stored in namespaces. See the Common Information Model Add-on Manual for more information about these data models.

This section lists the namespaces that have been deprecated and the data models now used.

Data model namespace retention

The limit for the length of time that accelerated data model namespaces are retained ("earliest acceleration time") is handled by the $SPLUNK_HOME/etc/apps/<add-on>/default/datamodels.conf file in the add-on where the data model is located. Data models and their datamodels.conf file must be located in the same app.

For example: 

[Network_Traffic]
acceleration.earliest_time = -3mon

You can set the retention span to a different value (in seconds). Edit the local/datamodel.conf file in each of the add-ons where you want to modify the High Performance Analytics Store namespace retention time. The namespaces in your deployment will be "cleaned up" (purged) whenever these settings are reached.

sa_authentication

The sa_authentication namespace has been deprecated in favor of the Authentication data model.

sa_accnt_mgmt, sa_endpoint, sa_endpoint_change

The sa_accnt_mgmt, sa_endpoint, and sa_endpoint_change namespaces have been deprecated in favor of the Change Analysis data model.

sa_os, sa_uptime

The sa_os and sa_uptime namespaces have been deprecated in favor of the Compute Inventory data model.

sa_whois

The sa_whois namespace has been deprecated in favor of the Domain Analysis data model.

sa_notables

The sa_notables namespace has been deprecated in favor of the Incident Management data model.

sa_ids

The sa_ids namespace has been deprecated in favor of the Intrusion Detection data model.

sa_malware, sa_malware_ops

The sa_malware, sa_malware_ops namespaces have been deprecated in favor of the Malware data model.

sa_sessions

The sa_sessions namespace has been deprecated in favor of the Network Sessions data model.

sa_traffic, sa_port_proto

The sa_traffic and sa_port_proto namespaces have been deprecated in favor of the Network Traffic data model.

sa_cpu, sa_memory, sa_disk

The sa_cpu, sa_memory, and sa_disk namespaces have been deprecated in favor of the Performance data model.

sa_views

The sa_views namespace has been deprecated in favor of the Splunk Audit data model.

sa_updates

The sa_updates namespace has been deprecated in favor of the Updates data model.

sa_vulns

The sa_vulns namespace has been deprecated in favor of the Vulnerabilities data model.

sa_proxy, sa_http_category, sa_http_user_agent

The sa_proxy, sa_http_category, and sa_http_user_agent namespaces have been deprecated in favor of the Web data model.

Threat Lists

The Threat Lists data model is new.

Last modified on 19 February, 2014
Reports   Log files

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters