This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
When Splunk Enterprise Security is deployed on Splunk Enterprise, the Splunk platform sends anonymized usage data to Splunk Inc. ("Splunk") to help improve Splunk Enterprise Security in future releases. For information about how to opt in or out, and how the data is collected, stored, and governed, see Share data in Splunk Enterprise.
How data is collected
Splunk Enterprise Security uses saved searches to collect anonymous usage data. These searches run in the background regardless of whether or not you opt-in to send usage data to Splunk, and do not have any significant impact on performance.
What data is collected
Splunk Enterprise Security collects the following basic usage information:
| Name | Description | Example |
|---|---|---|
app.SplunkEnterpriseSecuritySuite.active_users
|
Report the number of active users. | {
"version": "1.0",
"end": 1521483766,
"begin": 1521396000,
"data": {
"analyst_count": 0,
"count": 1,
"admin_count": 1,
"user_count": 0
}
}
|
app.SplunkEnterpriseSecuritySuite.annotations_usage
|
Report the number of users that enable and start using annotations in correlation searches for the risk framework. | {
"data": {
"unique_annotation_count": 86,
"unique_framework_count": 4,
"searches_with_cis20": 200,
"searches_with_kill_chain_phases": 176,
"searches_with_mitre_attack": 119,
"searches_with_nist": 199,
"searches_with_annotations": 213
},
"version": "1.0"
}
|
app.SplunkEnterpriseSecuritySuite.datamodel_
|
Performs a data model audit to determine which models are the most heavily used. | {
"data": {
"size": 2265088,
"datamodel": "Change_Analysis",
"perc": 49.33
},
"version": "1.0"
}
|
app.SplunkEnterpriseSecuritySuite.feature_usage
|
|
{
"end": 1521483766,
"begin": 1521396000,
"version": "1.0",
"data": {
"count": 1,
"avg_spent": 515,
"view": "ess_home"
}
}
|
app.SplunkEnterpriseSecuritySuite.identity_manager
|
Reports statistics pertaining to the usage of the Assets and Identities Framework. | {
"data": { [-]
"asset_blacklist_count": 0,
"asset_count": 3,
"asset_custom_count": 1,
"asset_custom_fields": 0,
"asset_enabled_count": 1,
"asset_ldap_count": 0,
"asset_search_count": 0,
"identity_blacklist_count": 0,
"identity_count": 3,
"identity_custom_count": 0,
"identity_custom_fields": 0,
"identity_enabled_count": 2,
"identity_ldap_count": 0,
"identity_search_count": 0,
"total_blacklist_count": 0,
"total_count": 6,
"total_custom_count": 1,
"total_enabled_count": 3,
"total_ldap_count": 0,
"total_search_count": 0
},
"version": 1.0
}
|
app.SplunkEnterpriseSecuritySuite.lookup_usage
|
Reports statistics pertaining to the usage of the Asset & Identity Manager, such as lookup table size and number of entries. | {
"data": {
"count": 0,
"size": 22,
"transform": "access_app_tracker"
},
"version": "1.0"
}
|
app.SplunkEnterpriseSecuritySuite.riskfactors_usage
|
Reports how customers use the risk framework. | {
{ [-]
app: SplunkEnterpriseSecuritySuite
component: app.SplunkEnterpriseSecuritySuite.riskfactors_usage
data: { [-]
fields_info: [ [-]
{"fields_used": "dest_priority", "count": 1}
{"fields_used": "user_category", "count": 2}
{"fields_used": "user_priority", "count": 2}
{"fields_used": "user_watchlist", "count": 1}
]
total: 5
}
deploymentID: 464150eb-1b95-528e-85ca-272ba19d113f
eventID: AB7AC804-8711-459C-A649-0A2DD8962299
executionID: 1E895CC2-5C46-456F-9A79-86CC0ED05036
optInRequired: 3
timestamp: 1603825511
type: aggregate
visibility: [ [+]
]
}
|
app.SplunkEnterpriseSecuritySuite.risk_riskfactors_impact
|
Reports how the customers engage with risk framework. | { [-]
app: SplunkEnterpriseSecuritySuite
component: app.SplunkEnterpriseSecuritySuite.risk_riskfactors_impact
data: { [-]
distinct_risk_object_count: 2
max_calc_risk_score: 100
max_risk_factor_add_matches: 0
max_risk_factor_mult_matches: 1
max_risk_score: 100
min_calc_risk_score: 100
min_risk_factor_add_matches: 0
min_risk_factor_mult_matches: 1
min_risk_score: 100
risk_factor_add_matches: 0
risk_factor_mult_matches: 0
risk_object_type: system
}
deploymentID: 3db462ee-7955-54b0-9a94-24bc19f352a8
eventID: 84949E43-2964-43CC-AA04-50F2C4082674
executionID: 27E5957D-41F4-4C83-A1F1-DCF5C9D324DC
optInRequired: 3
timestamp: 1603851828
type: aggregate
visibility: [ [+]
]
}
|
app.SplunkEnterpriseSecuritySuite.search_actions
|
Reports what was searched for. | {
"data": {
"total_scheduled": 70,
"action": "output_message",
"is_adaptive_response": 1,
"count": 6
},
"version": "1.0"
}
|
app.SplunkEnterpriseSecuritySuite.search_execution
|
Reports average run time by search, to help gauge performance. | {
"end": 1521483766,
"begin": 1521396000,
"data": {
"avg_run_time": 0.75,
"count": 2,
"search_alias": "Access - Authentication Tracker - Lookup Gen"
},
"version": "1.0",
}
|
data.context
|
Reports how many times a given workbench panel was used, and the distribution of fields drilled into from workflow actions. | {
component: app.session.rum.mark
data: {
app: SplunkEnterpriseSecuritySuite
context: {
field: lokloklok
panels: [
f2c5c990f8fbf4f173ed8ae17ac3463c53e674e10494ea6ae331f25d410c7647
f2c5c990f8fbf4f173ed8ae17ac3463c53e674e10494ea6ae331f25d410c7647
a7f1eed1b49d2391fbe7f6b6cb91a3c146a4e905e536be8e3d5581f15f90248c
]
}
hero: embedded workbench panel page
page: ess_workbench_panel
sourceLocation: controller mounted
timeSinceOrigin: 17539.599999785423
transactionId: 9eb149d0-84d9-11ea-9a01-6da37c4190ff
}
deploymentID: 90dacf53-e620-5a99-8cd4-15225d4fafc3
eventID: 19c90580-816d-2dc5-13a8-5af783596253
experienceID: 6aa4e746-c8f0-234b-35b2-dff0e1b2fbab
optInRequired: 3
timestamp: 1587588081
userID: 953b11dd9ec6593a941245c43738a191110c7e42f8e81b75fd6a18452a2755bb
version: 3
visibility: anonymous,support
}
|
Last modified on 06 January, 2023
| About Splunk Enterprise Security | Deployment planning |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1
Download manual
Feedback submitted, thanks!