Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security
In Content management, it is possible to see more details about the knowledge objects such as data models, detections, lookups, investigations, key indicators, and reports.
Additional details
With these additional details, you can verify health status, statistics, associated knowledge objects, and that the proper technical add-ons are populating within each of objects.
Associated objects might not display consistently if there is no data to populate them due to the specific configuration of your environment.
- From the Splunk ES menu bar, select Security content then Content management.
- (Optional) From the Type filter, select a type such as Search or Data Model.
- From the event information column of a search or data model, select the greater than (>) symbol to expand the display.
Not every Type will include the greater than (>) symbol, and each different Type will show different details.
The following table describes the additional usage details and dependencies:
Name | Description |
---|---|
Status | Icon to show the overall health. If the icon is not a green checkmark, then you are not ingesting enough data for this content to report accurately. |
Statistics | For searches, if the saved search is scheduled, this shows execution statistics from the _audit index . For data models, if the data model is accelerated, the execution statistics are also returned for the acceleration search. The statistics are for a 24 hour time range and do not indicate cumulative results over all time.
|
Associated Searches | The saved searches that use this object or dataset. |
Associated Panels | The panels that use this object or dataset. |
Indexes | The indexes that this object or dataset uses. If the icon is a green checkmark, then the index has events for the past 24 hours. |
Lookups | The lookups that this object or dataset uses. If the icon is a green checkmark, then the row counts for the csv or kvstore lookup files are not empty. |
Sourcetypes | The sourcetypes that this object or dataset uses. For example, if you have Unix in your environment and you would expect to see that sourcetype listed here, but you don't see it, then you would know that you need to revise the way you're getting that data into Splunk. If the icon is a green checkmark, then the index has events for the past 24 hours. |
Tags | The tags that this object or dataset uses. |
Associated objects are only visible if there is data to populate them. If there is no data to populate the associated knowledge objects, a message such as "No associated objects or datasets found" is displayed. In some cases you might see results even if no data exists and the Status icon is red. This discrepancy occurs because the data driving the knowledge objects derives from the Audit Dataset Relation saved search. The Audit Dataset Relation saved search calls the REST endpoint, which clears the dataset cache in SA-Utils and rebuilds it. This dataset cache is an inventory of searches, data models, views, and lookups that are associated with the search and defines the available data.
See the following Audit Dataset Relation saved search:
[Audit - Dataset relation] cron_schedule = */30 * * * * disabled = 0 dispatch.earliest_time = 0 dispath.latest_time = +0s enableSched = 1 is_visible = false run_on_startup = true schedule_window = auto search = /rest /servicesNS/nobody/SA-Utils/contentinfo/_cachetimeout=600 splunk_server = local count = 0 | stats count
See the following dataset cache:
[dataset_cache] # field._key = type@@name field.type = string #datamodel, savedsearch, view, panel field.name = string field.uses = string #json object Field.usedby = string # json object Accelerated_field.id = {"name": 1, "type": 1}
Manage internal lookups in Splunk Enterprise Security | Manage Analytic Stories through the use case library in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!