Predictive Analytics dashboard
With Common Information Model Add-on 4.15.0 and later, the Predictive Analytics dashboard is removed. Machine Learning Toolkit functionality can be leveraged instead. MLTK is more robust for finding different varieties of anomalous events in your data than the
command used by the Predictive Analytics dashboard. See Machine Learning Toolkit Overview in Splunk
Enterprise Security and see Release Notes in the Common Information Model Add-on Manual.
Use the Predictive Analytics dashboard to search for different varieties of anomalous events in your data. Predictive Analytics uses the predictive analysis functionality in Splunk to provide statistical information about the results, and identify outliers in your data. The predict command can take some time to generate results.
To analyze data with predictive analytics, choose a data model, then an object, a function, an attribute, and a time range, and click Search.
Dashboard filters
Use the available dashboard filters to refine the results displayed on the dashboard panels. The Predictive Analytics dashboard filters are implemented in a series from left to right. For example, the Object filter is populated based on the Data Model selection.
Filter by | Description |
---|---|
Data Model | Specifies the data model for the search. Available data models are shown in the drop-down list. |
Object | Specifies the object within the data model for the search. You must select a Data Model to apply an Object. |
Function | Specifies the function within the object for the search. Functions specify the type of analysis to perform on the search results. For example, choose "avg " to analyze the average of search results. Choose "dc " to create a distinct count of the results.
|
Attribute | Specifies the constraint attributes within the object for the search. Attributes are constraints on the search results. For example, choose " src " to view results from sources. You must select an Object to apply an Attribute.
|
Time Range | Select the time range to represent. |
Advanced | Access to the options for the predict command. |
You can find information about the predict command options in the Splunk platform documentation.
- For Splunk Enterprise, see predict options in the Splunk Enterprise Search Reference.
- For Splunk Cloud Platform, see predict options in the Splunk Cloud Platform Search Reference.
Dashboard Panels
Panel | Description |
---|---|
Prediction Over Time | The Prediction Over Time panel shows a predictive analysis of the results over time, based on the time range you chose. The shaded area shows results that fall within two standard deviations of the mean value of the total search results. |
Outliers | The Outliers panel shows those results that fall outside of two standard deviations of the search results. |
Data sources
The Predictive Analytics dashboard references data in any user selected data model. If the data model accelerations are unavailable or incomplete for the chosen time range, the dashboard reverts to searching unaccelerated, raw data.
Create a correlation search
From this dashboard, create a correlation search based on the search parameters for your current predictive analytics search. This correlation search will create an alert when the correlation search returns an event.
- Click Save as Correlation Search... to open the Create Correlation Search dialog.
- Select the Security domain and Severity for the notable event created by this search.
- Add a search name and description.
- Click Save.
To view and edit correlation searches, go to Configure > Content > Content Management. See Configure correlation searches in Splunk Enterprise Security in Administer Splunk Enterprise Security.
Troubleshooting
This dashboard references data from various data models. Without the applicable data, the panels will remain empty. See Troubleshoot dashboards in Splunk Enterprise Security in Administer Splunk Enterprise Security.
Audit dashboards | Access dashboards |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Feedback submitted, thanks!