High Performance Analytics Store namespaces
The Splunk App for Enterprise Security creates High Performance Analytics Store namespaces to store summary statistical data from accelerated data models. This information is used by dashboards and correlation searches throughout the app.
This table shows a namespace and its attributes, including the searches that populate the namespace, the search macro used to identify the data that will be stored in the namespace, the fields of information stored, and the suggested retention period for the data.
|Namespace||Location (SA-*)||Generating Search
|Fields||Suggested Retention Period|
|sa_host_meta||SA-AuditAndDataProtection||Audit - Host Event Count over Time - TSIDX Gen
25 4,16 * * *
|metasearch index=* sourcetype!=stash||_time, host*, tag, count||365 days|
Fields with an (*) include a number of other fields. These fields include:
host* == host,host_bunit,host_category,host_pci_domain dest* == dest,dest_bunit,dest_category,dest_pci_domain dvc* == dvc,dvc_bunit,dvc_category,dvc_pci_domain src* == src,src_bunit,src_category,src_pci_domain src_user* == src_user,src_user_bunit,src_user_category user* == user,user_bunit,user_category
The limit for the length of time that namespaces are retained ("namespace retention time") is specified in the
$SPLUNK_HOME/etc/apps/<add-on>/default/tsidx_retention.conf file. The recommended retention times are not enforced in code out-of-the-box; they are commented out.
To apply the recommended settings, un-comment the retention settings in your local copy (
local/tsidx_retention.conf) of the file and save it.
Out of the box, the
$SPLUNK_HOME/etc/apps/SA-Utils/default/tsidx_retention.conf file looks like this:
[sa_traffic] ## 90 days #retentionTimePeriodInSecs = 7776000
Confgure the retention time in the "local" version -
$SPLUNK_HOME/etc/apps/SA-Utils/local/tsidx_retention.conf - like this:
[sa_traffic] # 90 days retentionTimePeriodInSecs = 7776000
You can also set the retention span to a different value (in seconds).
local/tsidx_retention.conf file in each of the add-ons where you want to modify the TSIDX namespace retention time. The namespaces in your deployment will be "cleaned up" (purged) whenever these settings are reached.
Deprecated namespaces and data models
Data models now generate and store information previously handled by tsidx searches and stored in namespaces. See the Common Information Model Add-on Manual for more information about these data models.
This section lists the namespaces that have been deprecated and the data models now used.
Data model namespace retention
The limit for the length of time that accelerated data model namespaces are retained ("earliest acceleration time") is handled by the
$SPLUNK_HOME/etc/apps/<add-on>/default/datamodels.conf file in the add-on where the data model is located. Data models and their
datamodels.conf file must be located in the same app.
[Network_Traffic] acceleration.earliest_time = -3mon
You can set the retention span to a different value (in seconds). Edit the
local/datamodel.conffile in each of the add-ons where you want to modify the High Performance Analytics Store namespace retention time. The namespaces in your deployment will be "cleaned up" (purged) whenever these settings are reached.
sa_authenticationnamespace has been deprecated in favor of the Authentication data model.
sa_accnt_mgmt, sa_endpoint, sa_endpoint_change
sa_endpoint_changenamespaces have been deprecated in favor of the Change Analysis data model.
sa_uptimenamespaces have been deprecated in favor of the Compute Inventory data model.
sa_whoisnamespace has been deprecated in favor of the Domain Analysis data model.
sa_notablesnamespace has been deprecated in favor of the Incident Management data model.
sa_idsnamespace has been deprecated in favor of the Intrusion Detection data model.
sa_malware_opsnamespaces have been deprecated in favor of the Malware data model.
sa_sessionsnamespace has been deprecated in favor of the Network Sessions data model.
sa_port_protonamespaces have been deprecated in favor of the Network Traffic data model.
sa_cpu, sa_memory, sa_disk
sa_disknamespaces have been deprecated in favor of the Performance data model.
sa_viewsnamespace has been deprecated in favor of the Splunk Audit data model.
sa_updatesnamespace has been deprecated in favor of the Updates data model.
sa_vulnsnamespace has been deprecated in favor of the Vulnerabilities data model.
sa_proxy, sa_http_category, sa_http_user_agent
sa_http_user_agentnamespaces have been deprecated in favor of the Web data model.
The Threat Lists data model is new.
This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1