Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Share data in Splunk Enterprise Security

When Splunk Enterprise Security is deployed on Splunk Enterprise, the Splunk platform sends anonymized usage data to Splunk Inc. ("Splunk") to help improve Splunk Enterprise Security in future releases. For information about how to opt in or out, and how the data is collected, stored, and governed, see Share data in Splunk Enterprise.

How data is collected

Splunk Enterprise Security uses saved searches to collect anonymous usage data. These searches run in the background regardless of whether or not you opt-in to send usage data to Splunk, and do not have any significant impact on performance.

What data is collected

Splunk Enterprise Security collects the following basic usage information:

Name Description Example
app.SplunkEnterpriseSecuritySuite.active_users Report the number of active users. 
{
  "version": "1.0",
  "end": 1521483766,
  "begin": 1521396000,
  "data": {
    "analyst_count": 0,
    "count": 1,
    "admin_count": 1,
    "user_count": 0
  }
}
app.SplunkEnterpriseSecuritySuite.datamodel_
distribution 		Performs a data model audit to determine which models are the most heavily used. 
{
  "data": {
    "size": 2265088,
    "datamodel": "Change_Analysis",
    "perc": 49.33
  },
  "version": "1.0"
}
app.SplunkEnterpriseSecuritySuite.feature_usage
  • Page Load Times: reports the amount of time it takes for a page to load
  • Feature Usage: reports data about feature usage
 
{
  "end": 1521483766,
  "begin": 1521396000,
  "version": "1.0",
  "data": {
    "count": 1,
    "avg_spent": 515,
    "view": "ess_home"
  }
}
app.SplunkEnterpriseSecuritySuite.identity_manager Reports statistics pertaining to the usage of the Assets and Identities Framework. 
{
"data": { [-]
"asset_blacklist_count": 0,
"asset_count": 3,
"asset_custom_count": 1,
"asset_custom_fields": 0,
"asset_enabled_count": 1,
"asset_ldap_count": 0,
"asset_search_count": 0,
"identity_blacklist_count": 0,
"identity_count": 3,
"identity_custom_count": 0,
"identity_custom_fields": 0,
"identity_enabled_count": 2,
"identity_ldap_count": 0,
"identity_search_count": 0,
"total_blacklist_count": 0,
"total_count": 6,
"total_custom_count": 1,
"total_enabled_count": 3,
"total_ldap_count": 0,
"total_search_count": 0
},
"version": 1.0
}
app.SplunkEnterpriseSecuritySuite.lookup_usage Reports statistics pertaining to the usage of the Asset & Identity Manager, such as lookup table size and number of entries. 
{
  "data": {
    "count": 0,
    "size": 22,
    "transform": "access_app_tracker"
  },
  "version": "1.0"
}
app.SplunkEnterpriseSecuritySuite.search_actions Reports what was searched for. 
{
  "data": {
    "total_scheduled": 70,
    "action": "output_message",
    "is_adaptive_response": 1,
    "count": 6
  },
  "version": "1.0"
}
app.SplunkEnterpriseSecuritySuite.search_execution Reports average run time by search, to help gauge performance. 
{
  "end": 1521483766,
  "begin": 1521396000,
  "data": {
    "avg_run_time": 0.75,
    "count": 2,
    "search_alias": "Access - Authentication Tracker - Lookup Gen"
  },
  "version": "1.0",
}
Last modified on 05 May, 2020
About Splunk Enterprise Security   Deployment planning

This documentation applies to the following versions of Splunk® Enterprise Security: 6.0.1, 6.0.2, 6.1.0, 6.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters