Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security
In Content Management, it is possible to see more details about the knowledge objects such as data models, correlation searches, lookups, investigations, key indicators, and reports.
With these additional details, you can verify health status, statistics, associated knowledge objects, and that the proper technical add-ons are populating within each of objects.
- From the Splunk ES menu bar, select Configure > Content > Content Management.
- (Optional) From the Type filter, select a type such as Search or Data Model.
- From the event information column of a search or data model, click the greater than (>) symbol to expand the display.
Not every Type will include the greater than (>) symbol, and each different Type will show different details.
The following table describes the additional usage details and dependencies:
|Status||Icon to show the overall health. If the icon is not a green checkmark, then you are not ingesting enough data for this content to report accurately.|
|Statistics||For searches, if the saved search is scheduled, this shows execution statistics from the _audit index. For data models, if the data model is accelerated, the execution statistics are also returned for the acceleration search.|
|Associated Searches||The saved searches that use this object or dataset.|
|Associated Panels||The panels that use this object or dataset.|
|Indexes||The indexes that this object or dataset uses. If the icon is a green checkmark, then the index has events for the past 24 hours.|
|Lookups||The lookups that this object or dataset uses. If the icon is a green checkmark, then the row counts for the csv or kvstore lookup files are not empty.|
|Sourcetypes||The sourcetypes that this object or dataset uses. For example, if you have Unix in your environment and you would expect to see that sourcetype listed here, but you don't see it, then you would know that you need to revise the way you're getting that data into Splunk. If the icon is a green checkmark, then the index has events for the past 24 hours.|
|Tags||The tags that this object or dataset uses.|
Associated objects are only visible if there is data to populate them. If there is no data to populate them, then you will see a message such as "No associated objects or datasets found."
Use default risk factors in Splunk Enterprise Security
Manage Analytic Stories through the use case library in Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 6.6.0, 6.6.2