Splunk® Enterprise Security

Use Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Create a glass table in

Create a glass table to visualize and monitor the security status of your environment. You can add security metrics like key indicators or ad hoc searches that update in real time against a background that you design.

  1. In the main menu, click Glass Tables.
  2. Click Create New Glass Table.
  3. Type a Title, Description, and set Permissions for your new glass table.
  4. Click Create Glass Table to create the glass table.

See Monitor threat activity in your environment with a glass table for a walkthrough of how to set up a glass table in the context of a security use case.

Build a glass table visualization

Create a glass table using the flexible canvas and editing tools on the glass table editor.

  1. From the list of glass tables, click the name of the glass table.
  2. Use the editing tools to upload images, draw shapes, add icons, add text, and make connections to reflect the relationship between the metrics.
  3. In the panel of security metrics, click any metric to view the key indicator search widgets available to add. If you do not see the one you need, an ES admin can create a new key indicator search. See Create and manage key indicator searches in Splunk Enterprise Security in Administer Splunk Enterprise Security.
  4. Click and drag one or more of the key indicator search widgets onto the drawing canvas.
    A widget appears on the canvas, displaying the associated search values, which continuously update in real time. See Configure widgets for details.
  5. Add additional widgets to build out the dynamic elements of your visualization.
  6. Click and drag Ad hoc Search onto the drawing canvas to add a custom widget that displays the results of a search. See Create and configure search widgets for details.
  7. Click Save.

Configure widgets

After you add a widget to your glass table, configure it to optimize performance, add a custom drilldown, and customize the widget appearance for a particular glass table design. Key indicator searches populate the widgets included in the glass table. Make changes to the key indicator searches on the Content Management dashboard.

  1. In the glass table editor, click a widget.
  2. For Custom Drilldown, click On.
  3. Select a drilldown destination or type a URL.
  4. For Viz Type, select an appropriate option to display your search results. Visualization types include single-value, gauge, sparkline, and single value delta.
  5. Click Update to update the widget configuration.
  6. Click Save.

Key indicator search values update at regular intervals according to the search schedule that you define when you create the key indicator search.

Create and configure search widgets

You can also create a custom widget to display search results. Add a new search to any glass table, define a custom search string, and customize the appearance of the search widget using a variety of visualization types.

Write your custom search outside of glass table to confirm that it produces expected results. Your custom search must include the timechart command, or stats by _time to use thresholding.

  1. In the glass table editor, click and drag Ad hoc Search onto the canvas.
  2. In the Configurations panel, for Search Type, type your custom search string.
  3. Use the time picker to select the end time for your search. Defaults to Now.
  4. In the Earliest Time menu, select the earliest time for the search. This determines the start time for your search, relative to the End Date and Time that you set in the time picker, and determines the time range over which your search applies. Security metrics by default display results from the previous 48 hours.
    For example, if the time range picker is set to Now, the security metric searches the previous 48 hours and displays results. If you change the time range picker to 6 hours ago, the security metric displays results from -54 hours to -6 hours.
  5. For Threshold Field, type the field that you want to use as the threshold for your search.
    For example, count.
  6. For Thresholds, click On to enable the thresholds for the search widget.
  7. Click Edit to edit the threshold.
  8. In the threshold window, add thresholds for the search widget. This determines the color of the widget, which indicates the current status of the metric.
  9. Select a Viz Type for your search widget.
  10. Click Update to update the widget to the new visualization and display your search results over the specified time range.
  11. Click Save.
Last modified on 26 May, 2021
Create an ad hoc risk entry in Splunk Enterprise Security   Introduction to the dashboards available in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters