Splunk® Enterprise Security

Administer Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security

In Content Management, it is possible to see more details about the knowledge objects such as data models, correlation searches, lookups, investigations, key indicators, and reports.

Additional details

With these additional details, you can verify health status, statistics, associated knowledge objects, and that the proper technical add-ons are populating within each of objects.

Associated objects might not display consistently if there is no data to populate them due to the specific configuration of your environment.

  1. From the Splunk ES menu bar, select Configure > Content > Content Management.
  2. (Optional) From the Type filter, select a type such as Search or Data Model.
  3. From the event information column of a search or data model, click the greater than (>) symbol to expand the display.

    Not every Type will include the greater than (>) symbol, and each different Type will show different details.

The following table describes the additional usage details and dependencies:

Name Description
Status Icon to show the overall health. If the icon is not a green checkmark, then you are not ingesting enough data for this content to report accurately.
Statistics For searches, if the saved search is scheduled, this shows execution statistics from the _audit index. For data models, if the data model is accelerated, the execution statistics are also returned for the acceleration search. The statistics are for a 24 hour time range and do not indicate cumulative results over all time.
Associated Searches The saved searches that use this object or dataset.
Associated Panels The panels that use this object or dataset.
Indexes The indexes that this object or dataset uses. If the icon is a green checkmark, then the index has events for the past 24 hours.
Lookups The lookups that this object or dataset uses. If the icon is a green checkmark, then the row counts for the csv or kvstore lookup files are not empty.
Sourcetypes The sourcetypes that this object or dataset uses. For example, if you have Unix in your environment and you would expect to see that sourcetype listed here, but you don't see it, then you would know that you need to revise the way you're getting that data into Splunk. If the icon is a green checkmark, then the index has events for the past 24 hours.
Tags The tags that this object or dataset uses.

Associated objects are only visible if there is data to populate them. If there is no data to populate the associated knowledge objects, a message such as "No associated objects or datasets found" is displayed. In some cases you might see results even if no data exists and the Status icon is red. This discrepancy occurs because the data driving the knowledge objects derives from the Audit Dataset Relation saved search. The Audit Dataset Relation saved search calls the REST endpoint, which clears the dataset cache in SA-Utils and rebuilds it. This dataset cache is an inventory of searches, data models, views, and lookups that are associated with the search and defines the available data.

See the following Audit Dataset Relation saved search:

[Audit - Dataset relation]
cron_schedule              =  */30 * * * *
disabled                        = 0
dispatch.earliest_time  = 0
dispath.latest_time       = +0s
enableSched                = 1
is_visible                       = false
run_on_startup            = true
schedule_window       = auto
search                          = /rest /servicesNS/nobody/SA-Utils/contentinfo/_cachetimeout=600 splunk_server = local count = 0 | stats count

See the following dataset cache:

[dataset_cache]
# field._key = type@@name
field.type = string
#datamodel, savedsearch, view, panel
field.name = string
field.uses = string
#json object
Field.usedby = string
# json object
Accelerated_field.id = {"name": 1, "type": 1}
Last modified on 15 June, 2023
Use default risk factors in Splunk Enterprise Security   Manage Analytic Stories through the use case library in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters