Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Create and manage key indicator searches in Splunk Enterprise Security

Configure key indicator searches on Content Management in Splunk Enterprise Security. Use the filters to select a type of key indicator to view only key indicator searches.

Create a custom key indicator search

Create a key indicator search to create a key indicator that you can add to a dashboard or glass table as a security metric.

  1. From the Enterprise Security menu bar, select Configure > Content > Content Management.
  2. Click Create New Content and select Key Indicator Search.
  3. Type a key indicator name.
    In order for the key indicator to show up in the list of security metrics on glass table, type a category or security domain at the beginning of the key indicator name followed by a hyphen. For example, APT - Example Key Indicator or Access - Sample Key Indicator.
  4. Type a search, and other details.
    The key indicators that come with Enterprise Security use data models to accelerate the return of results.
  5. (Optional) Select Schedule to use data model acceleration for your custom key indicator.
  6. Type the name of the field that corresponds to the value of the key indicator in the Value field.
  7. Type the name of the field that corresponds to the change in the key indicator in the Delta field.
  8. (Optional) Type a Threshold for the key indicator. The threshold controls whether the key indicator changes color. You can also set the threshold in dashboards and on glass tables.
  9. Type a Value Suffix to indicate units or another word to follow the key indicator.
  10. Select the Invert check box to invert the colors of the key indicator. Select this check box to indicate that a high value is good and a low value is bad.
  11. Click Save.

Schedule a key indicator search

Key indicators included with Splunk Enterprise Security use data model acceleration. Enable acceleration and schedule the search to run as a scheduled report. Scheduled report results are cached, allowing the indicator to display results on the dashboard more quickly.

  1. Select Configure > Content > Content Management.
  2. Locate the key indicator search that you want to accelerate.
  3. Click Accelerate in the Actions column.
  4. In the Edit Acceleration window, select the Accelerate check box.
  5. Select a Refresh Frequency for how often Enterprise Security should update the cached results.
  6. Click Save.

After a key indicator is accelerated, the Next Scheduled Time populates on the Content Management page and the lightning bolt for that indicator changes from grey to yellow.

Edit a key indicator search

Make changes to a key indicator search.

  1. From the ES menu bar, select Configure > Content > Content Management
  2. Select a key indicator search.
  3. (Optional) Change the search name.
  4. (Optional) Change the destination app where the search is stored.
  5. (Optional) Change the title of the key indicator. The title appears above the key indicator on a dashboard, or next to the security metric on a glass table.
  6. (Optional) Change the sub-title of the key indicator that is used to describe the type of the key indicator function on dashboards.
  7. (Optional) Change the search string that populates the key indicator.
  8. (Optional) Add a drilldown URL such as a custom search or dashboard link to override the default drilldown behavior. By default, the key indicator drilldown opens the search results that produced the key indicator value. For key indicators on glass tables, you can set a custom drilldown when you add the key indicator to the glass table.
  9. (Optional) Select the Schedule check box to enable acceleration for a key indicator and allow it to load faster on a dashboard.
  10. (Optional) Change the Cron Schedule frequency using standard cron notation.
  11. (Optional) Change the Threshold behavior to determine the color assigned to the value indicator. By default, no threshold produces a black value indicator, a threshold number higher than the count of a value indicator produces a green value indicator, and a threshold number lower than the count of a value indicator produces a red value indicator.
  12. (Optional) Add a Value suffix to describe the value indicator. For example, specify units. On dashboards, the value suffix appears between the value indicator and the trend indicator.
  13. (Optional) Select the Invert check box to change the default colors of the trend indicator threshold. If this check box is selected, a threshold number higher than the count of a value indicator produces a red value indicator, and a threshold number lower than the count of a value indicator produces a green value indicator.
  14. Click Save.
Last modified on 06 January, 2021
Create and manage data models in Splunk Enterprise Security   Create and manage saved searches in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters