Splunk® Enterprise Security

Use Splunk Enterprise Security

Download manual as PDF

Download topic as PDF

Manage glass tables in Splunk Enterprise Security

Glass tables allow you to visualize security metrics in your environment in a flexible way. Manage the glass tables included with Splunk Enterprise Security and the glass tables that you create yourself on the glass tables lister page.

To access the glass tables lister page, click Glass Tables on the Splunk Enterprise Security menu bar.

Modify a glass table

After you create a glass table, you can continue to make changes to it.

  1. From the list of glass tables, click Edit next to the glass table that you want to modify.
  2. Choose whether you want to edit the glass table itself, edit the title or description, or edit permissions.

Restore a glass table that you deleted after importing it as part of an app

If you imported a glass table as part of an app and later deleted the glass table, you cannot import the glass table again to restore it. Instead, do the following:

  1. Disable the app that the glass table was imported in.
  2. Wait a few minutes for the app importer to run.
  3. Enable the app.
    The glass table reappears.

Clone a glass table to make a template

You can clone a glass table to make a template, or to preserve a glass table included with Splunk Enterprise Security as an original and make experimental changes on another version.

  1. From the list of glass tables, click Edit next to the glass table that you want to modify.
  2. Click Clone.
  3. Type a new title.
  4. (Optional) Type a new description.
  5. (Optional) Change the permissions of the cloned glass table.
  6. Click Clone Page.

Access to glass tables

All users can view glass tables, but you must have the ess_analyst, ess_admin, or admin role or have the "Edit glass tables" capability to create and modify glass tables. If you do not have the necessary permissions, talk to your Splunk Enterprise Security administrator.

Searches available to glass tables

Ad hoc search widgets that you create on individual glass tables cannot be shared automatically with other glass tables. Key indicator searches populate the list of security metrics available to add as predefined widgets. ES admins can create and edit key indicator searches on the Content Management page. See Create and manage key indicator searches in Splunk Enterprise Security.

Performance and storage of glass tables

Glass table content is stored in the KV store. The glass table definitions are stored in the SplunkEnterpriseSecuritySuite_glasstables collection. Files added to glass tables, such as images, are stored in the SplunkEnterpriseSecuritySuite_files collection. Custom widgets, images, and other items that you add to a glass table are all stored in this collection.

The performance of individual glass tables depends on the number of search widgets on a glass table. When you open a glass table for viewing, each search runs at the same time. Searches on glass tables with 200 or more search widgets could take 10-15 seconds to show data on the glass table.

Export a glass table

You can export a glass table to share it with others or to back it up. See Export content from Splunk Enterprise Security as an app in Administer Splunk Enterprise Security.

PREVIOUS
Create a glass table in Splunk Enterprise Security
  NEXT
Introduction to the dashboards available in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters