Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Predictive Analytics dashboard

The Predictive Analytics dashboard uses the predictive analysis functionality in Splunk to provide statistical information about the your search results and identify outliers in your data.

ES31 PredAnaly top.png

Choose the data model, object, function, attribute, and time range for your search. The graph shows probably results over time and a table displays individual events that fall outside of the predicted range.

Relevant data sources

Relevant data sources for this dashboard include searches generated by a data model and filtered to

How to configure this dashboard

1. Index relevant data sources from a device, application, or system in Splunk.

2. Map the data to the data models in your deployment. See the Common Information Model Add-on Manual for more information. The Common Information Model fields bunit and category are derived by automatic identity lookup, and do not need to be mapped directly.

Dashboard description

Predictive Analytics dashboard data is derived from the data model you select for your search. To verify that data is present, search the applicable data model using the search structure:

| datamodel <data_model_name> <object_object> search

Example:

| datamodel Authentication Authentication search 

To verify that events are being accelerated by the data model correctly, use this search (be careful not to search across all time):

 | tstats summariesonly=true count from datamodel=<data_model_name> by user

Useful searches/Troubleshooting

Troubleshooting Task Search/Action Expected Result
Verify that you have data from your network device(s) sourcetype=<your_sourcetype_for_your_data> Returns data from your network device(s).
Verify that authentication data is normalized to the Common Information Model properly | datamodel <data_model_name> <object_name> search | table host, sourcetype, <object_name>.* Returns a list of events and the specific access activity fields of data populated from your device(s)

Additional Information

For more information about using the Predictive Analytics dashboard, see "Predictive Analytics dashboard" in the Splunk App for Enterprise Security User Manual.

Last modified on 30 April, 2015
Configure risk scoring   Event Investigator dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters