Splunk® Enterprise Security

Use Splunk Enterprise Security

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Create a glass table

Create a glass table to visualize and monitor the security status of your environment. You can add security metrics like key indicators or ad-hoc searches that update in real-time against a background that you design.

  1. In the main menu, click Glass Tables.
  2. Click Create New Glass Table.
  3. Type a Title, Description, and set Permissions for your new glass table.
  4. Click Create Glass Table to create the glass table.

See Monitor threat activity in your environment with a glass table for a walkthrough of how to set up a glass table in the context of a security use case.

Build a glass table visualization

Create a glass table using the flexible canvas and editing tools on the glass table editor.

  1. From the list of Glass Tables, click the name of the glass table.
  2. Use the editing tools to upload images, draw shapes, add icons, add text, and make connections to reflect the relationship between the metrics.
  3. In the panel of security metrics, click any metric to view the key indicator search widgets available to add.
  4. Click and drag one or more of the key indicator search widgets onto the drawing canvas.
    A widget appears on the canvas, displaying the associated search values, which continuously update in real-time.
  5. Add additional widgets to build out the dynamic elements of your visualization.
  6. Click Save.

Key indicator search values update at regular intervals according to the search schedule that you define when you create the search.

Configure widgets

After you add a widget to your glass table, configure it to optimize performance, add a custom drilldown, and customize the widget appearance for a particular glass table design. Key indicator searches populate the widgets included in the glass table. Make changes to the key indicator searches on the Content Management dashboard.

  1. In the Glass Table editor, click a widget.
  2. For Custom Drilldown, click On.
  3. Select a drilldown destination or type a URL.
  4. For Viz Type, select an appropriate option to display your search results. Visualization types include single-value, gauge, sparkline, and single value delta.
  5. Click Update to update the widget configuration.
  6. Click Save.

Create and configure search widgets

You can also create a custom widget to display search results. Add a new search to any glass table, define a custom search string, and customize the appearance of the search widget using a variety of visualization types.

Write your custom search outside of glass table to confirm that it produces expected results. Your custom search must include the timechart command, or stats by _time to use thresholding.

  1. In the glass table editor, click and drag Ad hoc Search onto the canvas.
  2. In the Configurations panel, for Search Type, type your custom search string.
  3. Use the time picker to select the end time for your search. Defaults to Now.
  4. For Threshold Field, type the field that you want to use as the threshold for your search.
    For example, count.
  5. For Thresholds, click On to enable the thresholds for the search widget.
  6. Click Edit to edit the threshold.
  7. In the threshold window, add thresholds for the search widget. This determines the color of the widget, which indicates the current status of the metric.
  8. Select a Viz Type for your search widget.
  9. Click Update to update the widget to the new visualization and display your search results over the specified time range.
  10. Click Save.
Last modified on 13 April, 2017
PREVIOUS
Creating new content in Splunk Enterprise Security
  NEXT
Managing glass tables

This documentation applies to the following versions of Splunk® Enterprise Security: 4.5.0, 4.5.1, 4.5.2, 4.5.3


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters