Splunk® Enterprise Security

Use Splunk Enterprise Security

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Predictive Analytics dashboard

Use the Predictive Analytics dashboard to search for different varieties of anomalous events in your data. Predictive Analytics uses the predictive analysis functionality in Splunk to provide statistical information about the results, and identify outliers in your data.

ES31 PredAnaly top.png

The Predictive Analytics dashboard filters are implemented in a series from left to right. Example: The Object filter is populated based on the Data Model selection. To analyze data with predictive analytics, choose a data model, an object, a function, an attribute, and a time range and click Search.

Dashboard filters

Use the available dashboard filters to refine the results displayed on the dashboard panels.

Filter by Description Action
Data Model Specifies the data model for the search. Available data models are shown in the drop-down list. Drop-down: select to filter by
Object Specifies the object within the data model for the search. There must be a Data Model selection to apply an Object. Drop-down: select to filter in
Function Specifies the function within the object for the search. Functions specify the type of analysis to perform on the search results. For example, choose "avg" to analyze the average of search results. Choose "dc" to create a distinct count of the results. Drop-down: select to filter in
Attribute Specifies the constraint attributes within the object for the search.
Attributes are constraints on the search results. For example, choose "src" to look at results from sources. There must be a Object selection to apply an Attribute.
Drop-down: select to filter in
Time Range Select the time range to represent. Drop-down: select to filter by
Advanced Access to the advanced predict options. Link: A window of optional predict settings

Dashboard Panels

Panel Description
Prediction Over Time The Prediction Over Time panel shows a predictive analysis of the results over time, based on the time range you chose. The shaded area shows results that fall within two standard deviations of the mean value of the total search results.
Outliers The Outliers panel shows those results that fall outside of two standard deviations of the search results.

Data sources

The Predictive Analytics dashboard is not restricted to any specific data source, but references data in any user selected data model. If the data model accelerations are unavailable or incomplete for the chosen time range, the predictive search dashboard will revert to searching unaccelerated, raw data.

Create a correlation search

From this dashboard, create a correlation search based on the search parameters for your current predictive analytics search. This correlation search will create an alert when the correlation search returns an event.

Click Save as Correlation Search... to open the Create Correlation Search dialog.

ES-CreateCorrelationSearch.png

Select the Security domain and Severity for the notable event created by this search. Add a search name and search description. Click Save.

To view and edit correlation searches, go to Configure > General > Custom Searches. See the "Edit Correlation Search page" in the Installation and Configuration manual.

Troubleshooting

1. This dashboard references data from various data models. Without the applicable data, the panels will remain empty.

2. Use the Open in Search link available in the lower left corner of a dashboard view to perform a direct search against the data model. The New Search dashboard also exposes the search commands and objects used to populate the view.

3. Validate the data model is being accelerated.

In the Splunk App for Enterprise Security, browse to Audit > Data Model Audit. Review the Acceleration Details panel for information about the data model acceleration status.
Note: For more information about data model acceleration and the Enterprise Security App, see "Data models in the Enterprise Security app" in the Installation and Configuration Manual.
Last modified on 25 May, 2015
PREVIOUS
Notable Event Suppressions
  NEXT
Event Investigator dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 3.3.0, 3.3.1, 3.3.2, 3.3.3


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters