Create and manage key indicator searches in Splunk Enterprise Security
Configure key indicator searches on Content Management in Splunk Enterprise Security. Use the filters to select a type of key indicator to view only key indicator searches.
Create a custom key indicator search
Create a key indicator search to create a key indicator that you can add to a dashboard as a security metric.
- From the Enterprise Security menu bar, select Security content then Content management.
- Select Create New Content and select Key Indicator Search.
- Type a key indicator name.
Type a category or security domain at the beginning of the key indicator name followed by a hyphen. For example, APT - Example Key Indicator or Access - Sample Key Indicator. - Type a search, and other details.
The key indicators that come with Enterprise Security use data models to accelerate the return of results. - (Optional) Select Schedule to use data model acceleration for your custom key indicator.
- Type the name of the field that corresponds to the value of the key indicator in the Value field.
- Type the name of the field that corresponds to the change in the key indicator in the Delta field.
- (Optional) Type a Threshold for the key indicator. The threshold controls whether the key indicator changes color. You can also set the threshold in dashboards.
- Type a Value Suffix to indicate units or another word to follow the key indicator.
- Select the Invert check box to invert the colors of the key indicator. Select this check box to indicate that a high value is good and a low value is bad.
- Select Save.
- (Optional) You may customize the display of the error message when a key indicator search fails. For more information on creating a custom error message for your key indicator search, see Customize the error message for key indicator searches.
- (Optional) You may add a dependent search for your key indicator search. You may run the dependent search from the Run related search link provided below the error message in the key indicator panels. For more information on adding a dependent search for your key indicator search, see Add a dependent search to a key indicator search.
Schedule a key indicator search
Key indicators included with Splunk Enterprise Security use data model acceleration. Turn on acceleration and schedule the search to run as a scheduled report. Scheduled report results are cached, allowing the indicator to display results on the dashboard more quickly.
- Select Security content then Content management.
- Locate the key indicator search that you want to accelerate.
- Select Accelerate in the Actions column.
- In the Edit Acceleration window, select the Accelerate check box.
- Select a Refresh Frequency for how often Enterprise Security should update the cached results.
- Select Save.
After a key indicator is accelerated, the Next Scheduled Time populates on the Content Management page and the lightning bolt for that indicator changes from grey to yellow.
Edit a key indicator search
Make changes to a key indicator search.
- From the ES menu bar, select Security content then Content management.
- Select a key indicator search.
- (Optional) Change the search name.
- (Optional) Change the destination app where the search is stored.
- (Optional) Change the title of the key indicator. The title appears above the key indicator on a dashboard.
- (Optional) Change the sub-title of the key indicator that is used to describe the type of the key indicator function on dashboards.
- (Optional) Change the search string that populates the key indicator.
- (Optional) Add a drilldown URL such as a custom search or dashboard link to override the default drilldown behavior. By default, the key indicator drilldown opens the search results that produced the key indicator value.
- (Optional) Select the Schedule check box to turn on acceleration for a key indicator and allow it to load faster on a dashboard.
- (Optional) Change the Cron Schedule frequency using standard cron notation.
- (Optional) Change the Threshold behavior to determine the color assigned to the value indicator. By default, no threshold produces a black value indicator, a threshold number higher than the count of a value indicator produces a green value indicator, and a threshold number lower than the count of a value indicator produces a red value indicator.
- (Optional) Add a Value suffix to describe the value indicator. For example, specify units. On dashboards, the value suffix appears between the value indicator and the trend indicator.
- (Optional) Select the Invert check box to change the default colors of the trend indicator threshold. If this check box is selected, a threshold number higher than the count of a value indicator produces a red value indicator, and a threshold number lower than the count of a value indicator produces a green value indicator.
- Select Save.
- (Optional) You may customize the display of the error message when a key indicator search fails. For more information on creating a custom error message for your key indicator search, see Customize the error message for key indicator searches.
- (Optional) You may add a dependent search for your key indicator search. You may run the dependent search from the Run related search link provided below the error message in the key indicator panels. For more information on adding a dependent search for your key indicator search, see Add a dependent search to a key indicator search.
Customize the error message for key indicator searches
- From the ES menu bar, select Security content then Content management.
- In the Type drop down, filter by Key Indicator Search.
- Select a key indicator search.
- Select the key indicator search for which you want to customize the error message.
This opens the Edit Key Indicator Search dialog. - Scroll down to the Error Configuration section of the Key Indicator Search editor.
- Edit the error message.
Add a dependent search to a key indicator search
- From the ES menu bar, select Security content then Content management.
- In the Type drop down, filter by Key Indicator Search.
- Select a key indicator search.
- Select the key indicator search for which you want to add the dependent search.
This opens the Edit Key Indicator Search dialog. - Scroll down to the Error Configuration section of the Key Indicator Search editor.
- From the drop down menu, add the dependent search for your key indicator search.
Create and manage data models in Splunk Enterprise Security | Create and manage saved searches in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Feedback submitted, thanks!