Splunk Enterprise Security contains predefined key indicators modeled on use cases from the security domain dashboards within ES. A key indicator includes a value indicator, a trend amount, a trend indicator, and a threshold value used to indicate the importance or priority of the indicator.
Key indicators are designed to provide a visual reference for several security-related metrics at a glance. Each key indicator displays several elements.
- Description of the metric: A brief description of the security-related metric.
- Value indicator: Displays the current count of events. If a threshold is set, the numbers will change color as they cross thresholds. This is also a link to a drilldown search.
- Trend amount: Displays the change in the event count over time.
- Trend indicator: Displays a directional arrow to indicate the direction of the Trend amount. The arrow will change color and direction.
Key indicators are populated by searches that represent an event count over time. By default, the relative time span is 48 hours. The key indicator searches run against the data models defined in Enterprise Security, or the data models defined in the Common Information Model app. A few key indicators run searches against the count of notable events.
Edit key indicators
Enterprise Security includes preconfigured key indicators. Each dashboard key indicator row includes an editor that allows simple, visual changes to be made directly to the key indicators without leaving the dashboard. Additionally, advanced changes can be made through the Enterprise Security Content Management page.
Select the Edit pencil icon to the top left of the indicator bar. The editing tools display above the indicators.
Arrange key indicators
Drag and drop the indicators to rearrange them. There can be 5 indicators per row, and multiple indicator rows.
Remove key indicators
To remove an indicator, click the X to the top right of the indicator. Removing the indicator from a dashboard does not remove the key indicator configuration from Enterprise Security.
Add key indicators
To add key indicators, click the plus icon in the editor tab to open the Add indicators panel. There are more than 60 predefined key indicators. Click the checkmark icon to save.
Set a threshold
You can set a threshold value for each key indicator. A threshold is an acceptable value for the event count in an indicator. After the threshold is set, the value indicator will change colors to show if the event count is normal or notable. If no threshold is set, the value indicator numbers will remain black. If the threshold is larger than the count in a value indicator, the numbers will change to green. If the threshold is smaller than the count, the numbers will change to red.
Configure key indicators
Key indicator configuration changes are made within Enterprise Security. Browse to Configure > Content Management
The Content Management page
The Content Management page displays all views, key indicators, and saved, entity investigator, and correlation searches. You can sort by type to refine what is displayed. Select a type of key indicators to view only key indicators. For key indicators, the option to Accelerate the search can be enabled directly on the Content Management page, or on the Edit Key Indicator Search page.
Use the Actions column on the Content Management page to accelerate a key indicator search.
Select the Accelerate link on the Content Management page to enable acceleration and set a basic schedule for the scheduled report Refresh Frequency. After a key indicator is accelerated, the Next Scheduled Time is populated on the Content Management page and the lightning bolt for that indicator changes from grey to yellow.
Edit Key Indicator Search page
Browse to Configure > Content Management and select a Key Indicator search to view the Edit Key Indicator Search page. This page allows you to change the advanced options for a key indicator. You can also use the Preview button to review configuration changes before saving.
The Edit Key Indicator Search configuration page defines a number of fields.
- Search Name: A brief descriptor of the indicator search.
- Destination App: The name of the app that contains the search.
- Title: The title text that will appear above the indicator on a dashboard.
- Sub-title: The text that will appear below the title, used to describe the count type.
- Search: The search string to run.
- Drilldown URL: This field is used to override the default behavior of the link embedded in a key indicator. If the field is left empty, clicking the key indicator link will take you to the search results that generate the data displayed in the key indicator. Insert a new search url in the Drilldown URL field to open a custom search when the link is clicked.
Key indicators are accelerated through scheduling. An accelerated key indicator search runs as a scheduled report. The scheduled report results are cached, allowing the indicator to display on the dashboard more quickly. After the cached search results are available, the loading time of a key indicator will improve.
- Schedule: The checkbox enables acceleration for a key indicator search.
- Cron Schedule: Edit or change the schedule frequency using standard cron notation.
If a key indicator is accelerated, the Next Scheduled Time is populated on the Custom Searches page and the lightning bolt for that indicator changes from grey to yellow.
- Threshold: A number that determines the color assigned to the value indicator.
- If no threshold number is set, the value indicator numbers will remain black.
- If the threshold number is larger than the count in a value indicator, the value indicator numbers will change color to green.
- If the threshold number is smaller than the count, the value indicator numbers will change color to red.
- The trend indicator arrow changes direction with the threshold. The color behavior can be changed using the Invert option.
- Value suffix: An optional, descriptive name for the value indicator. The Value suffix will be placed between the Value Indicator and the Trend Indicator.
- Invert: Select the checkbox to change the default behavior of the trend indicator threshold and invert the colors.
- If the threshold number is larger than the count in a value indicator, the value indicator numbers will change color to red.
- If the threshold number is smaller than the count, the value indicator numbers will change color to green.
- Preview: A button used to preview changes made to the key indicator display options before saving.
Create custom key indicators
You can add a new key indicator on the Content Management page in Enterprise Security.
- Navigate to Configure > Content Management.
- Choose Create New Content and select Key Indicator Search.
- On the New Key Indicator Search page, define the key indicator name, search, and other details. The key indicators that come with ES use data models to accelerate the return of results. Select Schedule to use data model acceleration for your custom key indicator.
- Click Save.
Add a custom dashboard
This documentation applies to the following versions of Splunk® Enterprise Security: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only