Splunk® Enterprise Security

Use Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Predictive Analytics dashboard

With Common Information Model Add-on 4.15.0 and later, the Predictive Analytics dashboard is removed. Machine Learning Toolkit functionality can be leveraged instead. MLTK is more robust for finding different varieties of anomalous events in your data than the | predict command used by the Predictive Analytics dashboard. See Machine Learning Toolkit Overview in Splunk Enterprise Security and see Release Notes in the Common Information Model Add-on Manual.

Use the Predictive Analytics dashboard to search for different varieties of anomalous events in your data. Predictive Analytics uses the predictive analysis functionality in Splunk to provide statistical information about the results, and identify outliers in your data. The predict command can take some time to generate results.

To analyze data with predictive analytics, choose a data model, then an object, a function, an attribute, and a time range, and click Search.

Dashboard filters

Use the available dashboard filters to refine the results displayed on the dashboard panels. The Predictive Analytics dashboard filters are implemented in a series from left to right. For example, the Object filter is populated based on the Data Model selection.

Filter by Description
Data Model Specifies the data model for the search. Available data models are shown in the drop-down list.
Object Specifies the object within the data model for the search. You must select a Data Model to apply an Object.
Function Specifies the function within the object for the search. Functions specify the type of analysis to perform on the search results. For example, choose "avg" to analyze the average of search results. Choose "dc" to create a distinct count of the results.
Attribute Specifies the constraint attributes within the object for the search.
Attributes are constraints on the search results. For example, choose "src" to view results from sources. You must select an Object to apply an Attribute.
Time Range Select the time range to represent.
Advanced Access to the options for the predict command.

You can find information about the predict command options in the Splunk platform documentation.

  • For Splunk Enterprise, see predict options in the Splunk Enterprise Search Reference.
  • For Splunk Cloud Platform, see predict options in the Splunk Cloud Platform Search Reference.

Dashboard Panels

Panel Description
Prediction Over Time The Prediction Over Time panel shows a predictive analysis of the results over time, based on the time range you chose. The shaded area shows results that fall within two standard deviations of the mean value of the total search results.
Outliers The Outliers panel shows those results that fall outside of two standard deviations of the search results.

Data sources

The Predictive Analytics dashboard references data in any user selected data model. If the data model accelerations are unavailable or incomplete for the chosen time range, the dashboard reverts to searching unaccelerated, raw data.

Create a correlation search

From this dashboard, create a correlation search based on the search parameters for your current predictive analytics search. This correlation search will create an alert when the correlation search returns an event.

  1. Click Save as Correlation Search... to open the Create Correlation Search dialog.
  2. Select the Security domain and Severity for the notable event created by this search.
  3. Add a search name and description.
  4. Click Save.

ES-CreateCorrelationSearch.png

To view and edit correlation searches, go to Configure > Content > Content Management. See Configure correlation searches in Splunk Enterprise Security in Administer Splunk Enterprise Security.

Troubleshooting

This dashboard references data from various data models. Without the applicable data, the panels will remain empty. See Troubleshoot dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.

Last modified on 19 January, 2022
Audit dashboards   Access dashboards

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters