Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Create and manage swim lane searches in Splunk Enterprise Security

Create a swim lane search to create a swim lane that you can add to the Asset Investigator or Identity Investigator dashboard. Swim lanes on the investigator dashboards help you profile activity by a specific asset or identity over time.

  1. From the Enterprise Security menu bar, select Configure > Content Management.
  2. Click Create New Content and select Swim Lane Search.
  3. Type a Search Name.
  4. Select a Destination App.
  5. Type a Title for the swim lane that appears on the dashboard.
  6. Type a Search that populates the swim lane.
  7. Type a Drilldown Search that runs when a user clicks a swim lane item. By default, the swim lane item drilldown shows the raw events.
  8. Select a color.
  9. Select an Entity Type of Asset or Identity.
  10. Type Constraint Fields. Type a field to specify constraints on the search. Your search must contain where $constraints$ to use these constraint fields in the search. Only specific constraints are valid for each type of swim lane search.
    For example, an Asset Investigator swim lane search using the Malware data model and the Malware_Attacks data model dataset could specify the Malware_Attacks.user field as a constraint.
  11. Click Save.


For example, create a swim lane to identify all authentication events involving a specific asset.

  1. Type a Search Name of Authentication by Asset - Example
  2. Select a Destination App of DA-ESS-AccessProtection.
  3. Type a Title for the swim lane that appears on the dashboard. All Authentication.
  4. Type a Search that populates the swim lane.

    | tstats `summariesonly` values(Authentication.action) as action,values(Authentication.app) as app,values(Authentication.src) as src,values(Authentication.dest) as dest,values(Authentication.user) as user,count from datamodel=Authentication.Authentication where $constraints$ by _time span=$span$

  5. Type a Drilldown Search.

    | `datamodel("Authentication","Authentication")` | search $constraints$

  6. Select the color Purple.
  7. Select an entity type of Asset because you want to investigate all authentication events by asset and be able to add this swim lane to the Asset Investigator dashboard. With this specified, all constraints specified as constraint fields perform a reverse lookup against the other fields that identify an asset.
  8. Type constraint fields of Authentication.src and Authentication.dest to identify authentications originating from or targeting a specific asset.

Assuming an asset lookup entry with an IP address of, dns of server.example.com, and nt_host of server1, the search for this swim lane searches for all authentication events where the source or destination of the authentication event is, server.example.com, or server1.

... Authentication.src= OR Authentication.src=server.example.com OR Authentication.src=server1 OR Authentication.dest= OR Authentication.dest=server.example.com OR Authentication.dest=server1

Last modified on 14 September, 2018
Create and manage search-driven lookups in Splunk Enterprise Security
Create and manage views in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters