Splunk® Enterprise Security

Administer Splunk Enterprise Security

Download manual as PDF

Download topic as PDF

Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security

In Content Management, it is possible to see more details about the knowledge objects such as data models, correlation searches, lookups, investigations, key indicators, glass tables, and reports.

Additional details

With these additional details, you can verify health status, statistics, associated knowledge objects, and that the proper technical add-ons are populating within each of objects.

  1. From the Splunk ES menu bar, select Configure > Content > Content Management.
  2. (Optional) From the Type filter, select a type such as Search or Data Model.
  3. From the event information column of a search or data model, click the greater than (>) symbol to expand the display.

    Not every Type will include the greater than (>) symbol, and each different Type will show different details.

The following table describes the additional usage details and dependencies:

Name Description
Status Icon to show the overall health. If the icon is not a green checkmark, then you are not ingesting enough data for this content to report accurately.
Statistics For searches, if the saved search is scheduled, this shows execution statistics from the _audit index. For data models, if the data model is accelerated, the execution statistics are also returned for the acceleration search.
Associated Searches The saved searches that use this object or dataset.
Associated Panels The panels that use this object or dataset.
Indexes The indexes that this object or dataset uses. If the icon is a green checkmark, then the index has events for the past 24 hours.
Lookups The lookups that this object or dataset uses. If the icon is a green checkmark, then the row counts for the csv or kvstore lookup files are not empty.
Sourcetypes The sourcetypes that this object or dataset uses. For example, if you have Unix in your environment and you would expect to see that sourcetype listed here, but you don't see it, then you would know that you need to revise the way you're getting that data into Splunk. If the icon is a green checkmark, then the index has events for the past 24 hours.
Tags The tags that this object or dataset uses.

Associated objects are only visible if there is data to populate them. If there is no data to populate them, then you will see a message such as "No associated objects or datasets found."

PREVIOUS
Create risk and edit risk objects in Splunk Enterprise Security
  NEXT
Use Analytic Stories through the use case library in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters