Splunk® Enterprise Security

Install and upgrade Splunk Enterprise Security

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Predictive Analytics dashboard

The Predictive Analytics dashboard uses the predictive analysis functionality in Splunk to provide statistical information about the your search results and identify outliers in your data.

ES31 PredAnaly top.png

Choose the data model, object, function, attribute, and time range for your search. The graph shows probably results over time and a table displays individual events that fall outside of the predicted range.

Relevant data sources

Relevant data sources for this dashboard include searches generated by a data model and filtered to

How to configure this dashboard

1. Index relevant data sources from a device, application, or system in Splunk.

2. Map the data to the data models in your deployment. See the Common Information Model Add-on Manual for more information. The Common Information Model fields bunit and category are derived by automatic identity lookup, and do not need to be mapped directly.

Dashboard description

Predictive Analytics dashboard data is derived from the data model you select for your search. To verify that data is present, search the applicable data model using the search structure: 



| datamodel <data_model_name> <object_object> search




Example:
| datamodel Authentication Authentication search 


To verify that events are being accelerated by the data model correctly, use this search (be careful not to search across all time):



 | tstats summariesonly=true count from datamodel=<data_model_name> by user


Useful searches/Troubleshooting





Troubleshooting Task

Search/Action

Expected Result




Verify that you have data from your network device(s)

sourcetype=<your_sourcetype_for_your_data>

Returns data from your network device(s).




Verify that authentication data is normalized to the Common Information Model properly

| datamodel <data_model_name> <object_name> search | table host, sourcetype, <object_name>.*

Returns a list of events and the specific access activity fields of data populated from your device(s)



Additional Information


For more information about using the Predictive Analytics dashboard, see "Predictive Analytics dashboard" in the Splunk App for Enterprise Security User Manual.





						

					

                                    						 
								 									 
 Last modified on 30 April, 2015 

								 						                 


									

						

															
									
										
									
								
								
									PREVIOUS

									
										Configure risk scoring									
										
															 
															
									NEXT

									
										Event Investigator dashboards									
										
								
									
										
									
								
														

					

						

		This documentation applies to the following versions of Splunk® Enterprise Security: 
		3.1, 3.1.1, 3.2, 3.2.1, 3.2.2	

	



				
				

									

			

			
			
						
		

	







    

		
		
		

		
		

			

				

					

						

							

								
								

									

										

											

												
												
												

													Was this documentation topic helpful?
													
												


												

																								

													
													
												


																								
												

                                                    
												


												
												

												

												
											

											
										

									

								

							

							
							
													  
							
							

								

									

										

																							
You must be logged into splunk.com in order to post comments.
													Log in now.
												

																							

												Please try to keep this discussion focused on the content covered in this documentation topic.
												If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
												consider posting a question to Splunkbase Answers.
											

											

												
												
0
												out of 1000 Characters