Predictive Analytics dashboard
The Predictive Analytics dashboard uses the predictive analysis functionality in Splunk to provide statistical information about the your search results and identify outliers in your data.
Choose the data model, object, function, attribute, and time range for your search. The graph shows probably results over time and a table displays individual events that fall outside of the predicted range.
Relevant data sources
Relevant data sources for this dashboard include searches generated by a data model and filtered to
How to configure this dashboard
1. Index relevant data sources from a device, application, or system in Splunk.
2. Map the data to the data models in your deployment. See the Common Information Model Add-on Manual for more information. The Common Information Model fields bunit
and category
are derived by automatic identity lookup, and do not need to be mapped directly.
Dashboard description
Predictive Analytics dashboard data is derived from the data model you select for your search. To verify that data is present, search the applicable data model using the search structure:
| datamodel <data_model_name> <object_object> search
Example:
| datamodel Authentication Authentication search
To verify that events are being accelerated by the data model correctly, use this search (be careful not to search across all time):
| tstats summariesonly=true count from datamodel=<data_model_name> by user
Useful searches/Troubleshooting
Troubleshooting Task | Search/Action | Expected Result |
---|---|---|
Verify that you have data from your network device(s) | sourcetype=<your_sourcetype_for_your_data> | Returns data from your network device(s). |
Verify that authentication data is normalized to the Common Information Model properly | | datamodel <data_model_name> <object_name> search | table host, sourcetype, <object_name>.* | Returns a list of events and the specific access activity fields of data populated from your device(s) |
Additional Information
For more information about using the Predictive Analytics dashboard, see "Predictive Analytics dashboard" in the Splunk App for Enterprise Security User Manual.
Incident Review dashboard | Event Investigator dashboards |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2
Feedback submitted, thanks!