When Splunk Enterprise Security is deployed on Splunk Enterprise, the Splunk platform sends anonymized usage data to Splunk Inc. ("Splunk") to help improve Splunk Enterprise Security in future releases. For information about how to opt in or out, and how the data is collected, stored, and governed, see Share data in Splunk Enterprise.
How data is collected
Splunk Enterprise Security uses saved searches to collect anonymous usage data. These searches run in the background regardless of whether or not you opt-in to send usage data to Splunk, and do not have any significant impact on performance.
What data is collected
Splunk Enterprise Security collects the following basic usage information:
Name | Description | Example |
---|---|---|
app.SplunkEnterpriseSecuritySuite.active_users
|
Report the number of active users. | { "version": "1.0", "end": 1521483766, "begin": 1521396000, "data": { "analyst_count": 0, "count": 1, "admin_count": 1, "user_count": 0 } } |
app.SplunkEnterpriseSecuritySuite.annotations_usage
|
Report the number of users that enable and start using annotations in correlation searches for the risk framework. | { "data": { "unique_annotation_count": 86, "unique_framework_count": 4, "searches_with_cis20": 200, "searches_with_kill_chain_phases": 176, "searches_with_mitre_attack": 119, "searches_with_nist": 199, "searches_with_annotations": 213 }, "version": "1.0" } |
app.SplunkEnterpriseSecuritySuite.datamodel_
|
Performs a data model audit to determine which models are the most heavily used. | { "data": { "size": 2265088, "datamodel": "Change_Analysis", "perc": 49.33 }, "version": "1.0" } |
app.SplunkEnterpriseSecuritySuite.feature_usage
|
|
{ "end": 1521483766, "begin": 1521396000, "version": "1.0", "data": { "count": 1, "avg_spent": 515, "view": "ess_home" } } |
app.SplunkEnterpriseSecuritySuite.identity_manager
|
Reports statistics pertaining to the usage of the Assets and Identities Framework. | { "data": { [-] "asset_blacklist_count": 0, "asset_count": 3, "asset_custom_count": 1, "asset_custom_fields": 0, "asset_enabled_count": 1, "asset_ldap_count": 0, "asset_search_count": 0, "identity_blacklist_count": 0, "identity_count": 3, "identity_custom_count": 0, "identity_custom_fields": 0, "identity_enabled_count": 2, "identity_ldap_count": 0, "identity_search_count": 0, "total_blacklist_count": 0, "total_count": 6, "total_custom_count": 1, "total_enabled_count": 3, "total_ldap_count": 0, "total_search_count": 0 }, "version": 1.0 } |
app.SplunkEnterpriseSecuritySuite.lookup_usage
|
Reports statistics pertaining to the usage of the Asset & Identity Manager, such as lookup table size and number of entries. | { "data": { "count": 0, "size": 22, "transform": "access_app_tracker" }, "version": "1.0" } |
app.SplunkEnterpriseSecuritySuite.riskfactors_usage
|
Reports how customers use the risk framework. | { { [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.riskfactors_usage data: { [-] fields_info: [ [-] {"fields_used": "dest_priority", "count": 1} {"fields_used": "user_category", "count": 2} {"fields_used": "user_priority", "count": 2} {"fields_used": "user_watchlist", "count": 1} ] total: 5 } deploymentID: 464150eb-1b95-528e-85ca-272ba19d113f eventID: AB7AC804-8711-459C-A649-0A2DD8962299 executionID: 1E895CC2-5C46-456F-9A79-86CC0ED05036 optInRequired: 3 timestamp: 1603825511 type: aggregate visibility: [ [+] ] } |
app.SplunkEnterpriseSecuritySuite.risk_riskfactors_impact
|
Reports how the customers engage with risk framework. | { [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.risk_riskfactors_impact data: { [-] distinct_risk_object_count: 2 max_calc_risk_score: 100 max_risk_factor_add_matches: 0 max_risk_factor_mult_matches: 1 max_risk_score: 100 min_calc_risk_score: 100 min_risk_factor_add_matches: 0 min_risk_factor_mult_matches: 1 min_risk_score: 100 risk_factor_add_matches: 0 risk_factor_mult_matches: 0 risk_object_type: system } deploymentID: 3db462ee-7955-54b0-9a94-24bc19f352a8 eventID: 84949E43-2964-43CC-AA04-50F2C4082674 executionID: 27E5957D-41F4-4C83-A1F1-DCF5C9D324DC optInRequired: 3 timestamp: 1603851828 type: aggregate visibility: [ [+] ] } |
app.SplunkEnterpriseSecuritySuite.search_actions
|
Reports what was searched for. | { "data": { "total_scheduled": 70, "action": "output_message", "is_adaptive_response": 1, "count": 6 }, "version": "1.0" } |
app.SplunkEnterpriseSecuritySuite.search_execution
|
Reports average run time by search, to help gauge performance. | { "end": 1521483766, "begin": 1521396000, "data": { "avg_run_time": 0.75, "count": 2, "search_alias": "Access - Authentication Tracker - Lookup Gen" }, "version": "1.0", } |
data.context
|
Reports how many times a given workbench panel was used, and the distribution of fields drilled into from workflow actions. | { component: app.session.rum.mark data: { app: SplunkEnterpriseSecuritySuite context: { field: lokloklok panels: [ f2c5c990f8fbf4f173ed8ae17ac3463c53e674e10494ea6ae331f25d410c7647 f2c5c990f8fbf4f173ed8ae17ac3463c53e674e10494ea6ae331f25d410c7647 a7f1eed1b49d2391fbe7f6b6cb91a3c146a4e905e536be8e3d5581f15f90248c ] } hero: embedded workbench panel page page: ess_workbench_panel sourceLocation: controller mounted timeSinceOrigin: 17539.599999785423 transactionId: 9eb149d0-84d9-11ea-9a01-6da37c4190ff } deploymentID: 90dacf53-e620-5a99-8cd4-15225d4fafc3 eventID: 19c90580-816d-2dc5-13a8-5af783596253 experienceID: 6aa4e746-c8f0-234b-35b2-dff0e1b2fbab optInRequired: 3 timestamp: 1587588081 userID: 953b11dd9ec6593a941245c43738a191110c7e42f8e81b75fd6a18452a2755bb version: 3 visibility: anonymous,support } |
About Splunk Enterprise Security | Deployment planning |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1
Feedback submitted, thanks!