Splunk® Enterprise Security

Install and upgrade Splunk Enterprise Security

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Share data in Splunk Enterprise Security

When Splunk Enterprise Security is deployed on Splunk Enterprise, the Splunk platform sends anonymized usage data to Splunk Inc. ("Splunk") to help improve Splunk Enterprise Security in future releases. For information about how to opt in or out, and how the data is collected, stored, and governed, see Share data in Splunk Enterprise.

How data is collected

Splunk Enterprise Security uses saved searches to collect anonymous usage data. These searches run in the background regardless of whether or not you opt-in to send usage data to Splunk, and do not have any significant impact on performance.

What data is collected

Splunk Enterprise Security collects the following basic usage information:

Name Description Example
app.session.enterprise-security.drilldown-dashboard Reports on the telemetry for every notable event that is created such as the severity of the notable, the assets and identities that generated the notable, and so on. 
data: { [-]
    _time: 1662596119
    notable_type: notable
    search_name: ESCU - Detecting Foo using Bar - Rule
    annotations: {"_time": 1698688688, "notable_type": "notable", "search_name": "ESCU - Detect Regasm with no Command Line Arguments - Rule", "annotations": "{\"analytic_story\": [\"Suspicious Regsvcs Regasm Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 70, \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.009\"], \"nist\": [\"DE.CM\"]}"     
    security_domain: endpoint
    severity: high
    event_id: 94DB953F-825B-4885-B630-DCDEFDC2A260@@notable@@377f7cd1c5cd18a287ef62392052b327
    org_sourcetype: N/A
    hashed_user: 2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
    hashed_src_user: 2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae
    hashed_src:  12ca17b49af2289436f303e0166030a21e525d266e209267433801a8fd4071a0
    hashed_dest: 12ca17b49af2289436f303e0166030a21e525d266e209267433801a8fd4071a0
    hashed_dvc: 12ca17b49af2289436f303e0166030a21e525d266e209267433801a8fd4071a0
    hashed_orig_host: 12ca17b49af2289436f303e0166030a21e525d266e209267433801a8fd4071a0
    hashed_process_name: c65bd1e40e7af5766f76c5ee912ab472658a86d20f2bcaf90e3ee572cfdbc22a
    hashed_object: 49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d9763
  }
  deploymentID: dd2e7874-098f-549c-af70-0d33636be94d
  eventID: dce50f20-e5d6-0229-65b1-61d04ccd7367
  experienceID: 668d518b-2b52-e502-78b2-e9f8587cfbdb
  optInRequired: 3
  splunkVersion: 9.0.1
  timestamp: 1669678343
  userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a
  version: 4
  visibility: anonymous,support
}
app.session.enterprise-security.risk-analysis-dashboard Reports on the usage of the Risk Timeline visualization on the Risk Analysis dashboard. 
data: { [-]
     action: click
     app: SplunkEnterpriseSecuritySuite
     page: incident_review
     section: viz_risk_score_by_object
   }
app.session.enterprise-security.disposition-required Reports whether dispositions are required or not on Incident Review Settings page. 
  data: { [-]
     action: is_required
     app: SplunkEnterpriseSecuritySuite
     page: ess_incident_review_configuration
     section: disposition
   }
app.session.enterprise-security.ir-event-timeline Reports the usage of the zoom in and zoom out functionality of the Event Timeline visualization on the Incident Review page. 
data: { [-]
     action: click
     app: SplunkEnterpriseSecuritySuite
     page: incident_review
     section: zoomClick
   }

OR 

data: { [-]
     action: click
     app: SplunkEnterpriseSecuritySuite
     page: incident_review
     section: zoomOut
   }
app.session.enterprise-security.incident-review
  • Reports the number of customers who have selected drilldown searches in the expansion row on the Incident Review page.
  • Reports the number of times customers have selected drilldown searches in the expansion row on the Incident Review page.
 
{ [-]
   component: app.session.enterprise-security.drilldown-search
   data: { [-]
     action: click
     app: SplunkEnterpriseSecuritySuite
     page: incident_review
     section: ir-expansion-link

   }
   deploymentID: dd2e7874-098f-549c-af70-0d33636be94d
   eventID: dce50f20-e5d6-0229-65b1-61d04ccd7367
   experienceID: 668d518b-2b52-e502-78b2-e9f8587cfbdb
   optInRequired: 3
   splunkVersion: 9.0.1
   timestamp: 1669678343
   userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a
   version: 4
   visibility: anonymous,support
}
app.session.enterprise-security.drilldown-search
  • Reports the number of customers who have used, added, or removed drilldown searches in the Correlation Search Editor.
  • Reports the number of times customers have added or removed drilldown searches in the Correlation Search Editor.
 
{ [-]
   component: app.session.enterprise-security.drilldown-search
   data: { [-]
     action: click
     app: SplunkEnterpriseSecuritySuite
     page: correlation_search_edit
     section: add-drilldown-btn (OR remove-drilldown-btn)
   }
   deploymentID: dd2e7874-098f-549c-af70-0d33636be94d
   eventID: dce50f20-e5d6-0229-65b1-61d04ccd7367
   experienceID: 668d518b-2b52-e502-78b2-e9f8587cfbdb
   optInRequired: 3
   splunkVersion: 9.0.1
   timestamp: 1669678343
   userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a
   version: 4
   visibility: anonymous,support
}
app.session.enterprise-security.threat-topology
  • Report the number of users who have viewed the threat-topology visualization
  • Report the number of times users have rendered the threat-topology visualization 
 
{ [-]
   component: app.session.enterprise-security.threat-topology
   data: { [-]
     action: view
     app: SplunkEnterpriseSecuritySuite
     page: incident_review
   }
   deploymentID: dd2e7874-098f-549c-af70-0d33636be94d
   eventID: 538e4d34-0fbb-a4ea-05b4-0e50445823a1
   experienceID: 63a92645-5d53-91f4-15b5-c32c12aac41a
   optInRequired: 3
   splunkVersion: 9.0.1
   timestamp: 1669674829
   userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a
   version: 4
   visibility: anonymous,support
}
app.session.enterprise-security.mitre-matrix
  • Report the number of users who have viewed the mitre-matrix component
  • Report the number of times users have rendered the mitre-matrix component  
 
{ [-]
   component: app.session.enterprise-security.mitre-matrix
   data: { [-]
     action: view
     app: SplunkEnterpriseSecuritySuite
     page: incident_review
   }
   deploymentID: dd2e7874-098f-549c-af70-0d33636be94d
   eventID: dce50f20-e5d6-0229-65b1-61d04ccd7367
   experienceID: 668d518b-2b52-e502-78b2-e9f8587cfbdb
   optInRequired: 3
   splunkVersion: 9.0.1
   timestamp: 1669678343
   userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a
   version: 4
   visibility: anonymous,support
}
app.session.enterprise-security.ba-enable-modal
  • Report the number of users who have viewed the mitre-matrix component
  • Report the number of times users have rendered the mitre-matrix component  
 
{ [-]
   component: app.session.enterprise-security.ba-enable-modal
   data: { [-]
     action: click
     app: SplunkEnterpriseSecuritySuite
     page: ess_home
     section: submit-ticket
   }
   deploymentID: dd2e7874-098f-549c-af70-0d33636be94d
   eventID: de6b5a51-d15a-27de-6015-97c818a41757
   experienceID: 8ec2c25a-8edd-5438-95b7-ae009c1db2aa
   optInRequired: 3
   splunkVersion: 9.0.1
   timestamp: 1669756275
   userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a
   version: 4
   visibility: anonymous,support
}
app.SplunkEnterpriseSecuritySuite.active_users Report the number of active users. 
{
  "version": "1.0",
  "end": 1521483766,
  "begin": 1521396000,
  "data": {
    "analyst_count": 0,
    "count": 1,
    "admin_count": 1,
    "user_count": 0
  }
}
app.SplunkEnterpriseSecuritySuite.annotations_usage Report the number of users that enable and start using annotations in correlation searches for the risk framework. 
{
  "data": {
    "unique_annotation_count": 86,
    "unique_framework_count": 4,
    "searches_with_cis20": 200,
    "searches_with_kill_chain_phases": 176,
    "searches_with_mitre_attack": 119,
    "searches_with_nist": 199,
    "searches_with_annotations": 213
  },
  "version": "1.0"
}
app.SplunkEnterpriseSecuritySuite.datamodel_
distribution 		Performs a data model audit to determine which models are the most heavily used. 
{
  "data": {
    "size": 2265088,
    "datamodel": "Change_Analysis",
    "perc": 49.33
  },
  "version": "1.0"
}
app.SplunkEnterpriseSecuritySuite.feature_usage
  • Reports the amount of time it takes for a page to load.
  • Reports data about feature usage.
 
{
  "end": 1521483766,
  "begin": 1521396000,
  "version": "1.0",
  "data": {
    "count": 1,
    "avg_spent": 515,
    "view": "ess_home"
  }
}
app.SplunkEnterpriseSecuritySuite.datamodel_dataset_population Reports which sourcetypes are populating data models and data sets. 
{ [-]
   app: SplunkEnterpriseSecuritySuite
   component: app.SplunkEnterpriseSecuritySuite.datamodel_dataset_population
   data: { [-]
     count: 3510
     dataset: Authentication
     model_name: Authentication
     sourcetype: XmlWinEventLog
   }
   deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
   eventID: 9416AAD3-7DE3-4985-80E5-D8EACF7373AC
   executionID: 31D2B8E6-1679-4041-91A8-D9955A2B2544
   optInRequired: 3
   timestamp: 1662700871
   type: event
   userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
   visibility: [ [+]
   ]
}
app.SplunkEnterpriseSecuritySuite.identity_manager Reports statistics pertaining to the usage of the Assets and Identities Framework. 
{
"data": { [-]
"asset_blacklist_count": 0,
"asset_count": 3,
"asset_custom_count": 1,
"asset_custom_fields": 0,
"asset_enabled_count": 1,
"asset_ldap_count": 0,
"asset_search_count": 0,
"identity_blacklist_count": 0,
"identity_count": 3,
"identity_custom_count": 0,
"identity_custom_fields": 0,
"identity_enabled_count": 2,
"identity_ldap_count": 0,
"identity_search_count": 0,
"total_blacklist_count": 0,
"total_count": 6,
"total_custom_count": 1,
"total_enabled_count": 3,
"total_ldap_count": 0,
"total_search_count": 0
},
"version": 1.0
}
app.SplunkEnterpriseSecuritySuite.investigation_information Report on the length of investigations in Splunk Enterprise Security. 
{ [-]
   app: SplunkEnterpriseSecuritySuite
   component: app.SplunkEnterpriseSecuritySuite.saved_search_information
   data: { [-]
     investigation_id: 3392852E-71F0-43DD-B826-F155BE830660
     name: TestInvestigation
     status_name: In Progress
     create_time: 1662700236
     status_time: 1662700236
   }
   deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
   eventID: 3392852E-71F0-43DD-B826-F155BE830660
   executionID: D35401ED-3320-4F4B-8542-BC1068F93454
   optInRequired: 3
   timestamp: 1662700236
   type: event
   userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
   visibility: [ [+]
   ]
}
app.SplunkEnterpriseSecuritySuite.lookup_usage Reports statistics pertaining to the usage of the Asset & Identity Manager, such as lookup table size and number of entries. 
{
  "data": {
    "count": 0,
    "size": 22,
    "transform": "access_app_tracker"
  },
  "version": "1.0"
}
app.SplunkEnterpriseSecuritySuite.notable_event_status_changes
  • Reports the efficacy of the detections.
  • Reports how long the notable events are in progress.
 
{ [-]
   app: SplunkEnterpriseSecuritySuite
   component: app.SplunkEnterpriseSecuritySuite.saved_search_information
   data: { [-]
     time: {}
     event_id: DA-ESS-NetworkProtection
     search_name: Traffic - Traffic Over Time By Transport Protocol
     status_label: In Progress
     disposition_label: NA
     urgency: 0
   }
   deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
   eventID: 3392852E-71F0-43DD-B826-F155BE830660
   executionID: D35401ED-3320-4F4B-8542-BC1068F93454
   optInRequired: 3
   timestamp: 1662700236
   type: event
   userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
   visibility: [ [+]
   ]
}
app.SplunkEnterpriseSecuritySuite.macro_usage

Reports on how users use ESCU output filers for their content. 

{ [-]
   app: SplunkEnterpriseSecuritySuite
   component: app.SplunkEnterpriseSecuritySuite.macro_usage
   data: { [-]
     macro_name: wmi_permanent_event_subscription___sysmon_filter
     definition: search *
   }
   deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
   eventID: 3392852E-71F0-43DD-B826-F155BE830660
   executionID: D35401ED-3320-4F4B-8542-BC1068F93454
   optInRequired: 3
   timestamp: 1662700236
   type: event
   userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
   visibility: [ [+]
   ]
}
app.SplunkEnterpriseSecuritySuite.risk_event_information
  • Reports the specific searches that create risk events in customer environments.
  • Reports the annotations that create risk events.
  • Reports how risk scores are associated with annotations.
 
{
{ [-]
   app: SplunkEnterpriseSecuritySuite
   component: app.SplunkEnterpriseSecuritySuite.risk_event_information
   data: { [-]
     _time: 1662673793
     annotations: {"analytic_story": ["Hermetic Wiper", "Malicious PowerShell"], "confidence": 100, "context": ["Source:Endpoint", "Stage:Recon"], "impact": 30, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "observable": [{"name": "Computer", "role": ["Victim"], "type": "Endpoint"}, {"name": "User", "role": ["Victim"], "type": "User"}]}
     calculated_risk_score: 30
     risk_factor_add: 0
     risk_factor_mult: 1
     hashed_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368
     hashed_normalized_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368
     risk_object_type: system
     risk_score: 30
     search_name: ESCU - WMI Recon Running Process Or Services - Rule
     orig_sourcetype: NA
   }
   deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
   eventID: 51708359-68B8-40D8-A789-011C8544DA92
   executionID: A11AB986-2A75-406D-8405-A65D6D83AADE
   optInRequired: 3
   timestamp: 1662702322
   type: event
   userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
   visibility: [ [+]
   ]
}
app.SplunkEnterpriseSecuritySuite.risk_notable_information
  • Reports the specific searches that create risk notables in customer environments.
  • Reports the risk events that create risk notables.
  • Reports how risk notables are associated with annotations.
 
{ [-]
   app: SplunkEnterpriseSecuritySuite
   component: app.SplunkEnterpriseSecuritySuite.risk_notable_information
   data: { [-]
     _time: 1662596119
     annotations: {"mitre_attack": "T1587.003", "analytic_story": "Splunk Vulnerabilities", "cis20": ["CIS 16", "CIS 3", "CIS 5"], "kill_chain_phases": "Exploitation", "nist": "DE.CM", "context": "Source:Endpoint", "observable": "{\"name\":\"splunk_server\",\"role\":[\"Victim\"],\"type\":\"Hostname\"}"}
     event_id: 1D3F1BA5-1EDB-43DB-A9BA-92C62607E589@@notable@@56ceb57a41ca64f8960a7c1ae5eec67c
     notable_type: risk_event
     risk_object_type: system
     hashed_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368
     hashed_normalized_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368
     hashed_all_risk_objects: ['62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368']
     risk_score: 1750
     risk_search: ESCU - Splunk Digital Certificates Infrastructure Version - Rule
     risk_event_count: 50
     search_name: Risk - 24 Hour Risk Threshold Exceeded - Rule
     security_domain: threat
     source_count: 1
     orig_sourcetype: NA
   }
   deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
   eventID: 04FB2258-FDEA-47E3-AFFA-0ECACBE79A5F
   executionID: 33F085CD-98E3-433A-AF4C-716A85D952A8
   optInRequired: 3
   timestamp: 1662702627
   type: event
   userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
   visibility: [ [+]
   ]
}
app.SplunkEnterpriseSecuritySuite.ba_detections
  • Reports on which behavioral analytics detections are enabled in customer environments.
  • Reports on how customers are using the test and risk indexes.
 
{ [-]
   app: SplunkEnterpriseSecuritySuite
   component: app.SplunkEnterpriseSecuritySuite.ba_detections
   data: { [-]
     name: Applications Spawning cmd.exe
     annotations: {"mitre_attack": ["T1106"]}
     enabled: 0
     useRiskIndex: 0
     version: 1.0
     id: e332f45a-e332f45a-e332f45a

   }
   deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
   eventID: 3392852E-71F0-43DD-B826-F155BE830660
   executionID: D35401ED-3320-4F4B-8542-BC1068F93454
   optInRequired: 3
   timestamp: 1662700236
   type: event
   userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
   visibility: [ [+]
   ]
}
app.SplunkEnterpriseSecuritySuite.ba_test_information
  • Reports the behavioral analytics searches that create risk events in customer environments.
  • Reports the annotations that create behavioral analytics risk events.
 
{ [-]
   app: SplunkEnterpriseSecuritySuite
   component: app.SplunkEnterpriseSecuritySuite.ba_Test_information
   data: { [-]
     _time: 1662673793
     annotations: {"analytic_story": ["Hermetic Wiper", "Malicious PowerShell"], "confidence": 100, "context": ["Source:Endpoint", "Stage:Recon"], "impact": 30, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "observable": [{"name": "Computer", "role": ["Victim"], "type": "Endpoint"}, {"name": "User", "role": ["Victim"], "type": "User"}]}
     hashed_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368
     risk_object_type: system
     risk_score: 30
     search_name: ESCU - WMI Recon Running Process Or Services - Rule
   }
   deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
   eventID: 51708359-68B8-40D8-A789-011C8544DA92
   executionID: A11AB986-2A75-406D-8405-A65D6D83AADE
   optInRequired: 3
   timestamp: 1662702322
   type: event
   userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
   visibility: [ [+]
   ]
}
app.SplunkEnterpriseSecuritySuite.riskfactors_usage Reports how customers use the risk framework. 
{
{ [-]
app: SplunkEnterpriseSecuritySuite
component: app.SplunkEnterpriseSecuritySuite.riskfactors_usage
data: { [-]
fields_info: [ [-]
{"fields_used": "dest_priority", "count": 1}
{"fields_used": "user_category", "count": 2}
{"fields_used": "user_priority", "count": 2}
{"fields_used": "user_watchlist", "count": 1}
]
total: 5
}
deploymentID: 464150eb-1b95-528e-85ca-272ba19d113f
eventID: AB7AC804-8711-459C-A649-0A2DD8962299
executionID: 1E895CC2-5C46-456F-9A79-86CC0ED05036
optInRequired: 3
timestamp: 1603825511
type: aggregate
visibility: [ [+]
]
}
app.SplunkEnterpriseSecuritySuite.risk_riskfactors_impact Reports how the customers engage with risk framework. 
{ [-]
app: SplunkEnterpriseSecuritySuite
component: app.SplunkEnterpriseSecuritySuite.risk_riskfactors_impact
data: { [-]
distinct_risk_object_count: 2
max_calc_risk_score: 100
max_risk_factor_add_matches: 0
max_risk_factor_mult_matches: 1
max_risk_score: 100
min_calc_risk_score: 100
min_risk_factor_add_matches: 0
min_risk_factor_mult_matches: 1
min_risk_score: 100
risk_factor_add_matches: 0
risk_factor_mult_matches: 0
risk_object_type: system
}
deploymentID: 3db462ee-7955-54b0-9a94-24bc19f352a8
eventID: 84949E43-2964-43CC-AA04-50F2C4082674
executionID: 27E5957D-41F4-4C83-A1F1-DCF5C9D324DC
optInRequired: 3
timestamp: 1603851828
type: aggregate
visibility: [ [+]
]
}
app.SplunkEnterpriseSecuritySuite.saved_search_information
  1. Reports what searches are enabled in customer environments.
  2. Reports the desired outcome of the search.
  3. Reports the use of SPL
 
{ [-]
   app: SplunkEnterpriseSecuritySuite
   component: app.SplunkEnterpriseSecuritySuite.saved_search_information
   data: { [-]
     annotations: {}
     app_name: DA-ESS-NetworkProtection
     creates_notable: 0
     creates_risk: 0
     uses_suppression: 0
     description:
     disabled: 0
     search: | `tstats` count from datamodel=Network_Traffic.All_Traffic by _time,All_Traffic.transport span=10m | timechart minspan=10m useother=`useother` count by All_Traffic.transport | `drop_dm_object_name("All_Traffic")`
     search_name: Traffic - Traffic Over Time By Transport Protocol
   }
   deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
   eventID: 3392852E-71F0-43DD-B826-F155BE830660
   executionID: D35401ED-3320-4F4B-8542-BC1068F93454
   optInRequired: 3
   timestamp: 1662700236
   type: event
   userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
   visibility: [ [+]
   ]
}
app.SplunkEnterpriseSecuritySuite.search_actions Reports what was searched for. 
{
  "data": {
    "total_scheduled": 70,
    "action": "output_message",
    "is_adaptive_response": 1,
    "count": 6
  },
  "version": "1.0"
}
app.SplunkEnterpriseSecuritySuite.search_execution Reports average run time by search to help gauge performance. 
{
  "end": 1521483766,
  "begin": 1521396000,
  "data": {
    "avg_run_time": 0.75,
    "count": 2,
    "search_alias": "Access - Authentication Tracker - Lookup Gen"
  },
  "version": "1.0",
}
data.context Reports how many times a given workbench panel was used and the distribution of fields drilled into from workflow actions. 
{ 
   component: app.session.rum.mark
   data: { 
     app: SplunkEnterpriseSecuritySuite
     context: { 
       field: lokloklok
       panels: [ 
         f2c5c990f8fbf4f173ed8ae17ac3463c53e674e10494ea6ae331f25d410c7647
         f2c5c990f8fbf4f173ed8ae17ac3463c53e674e10494ea6ae331f25d410c7647
         a7f1eed1b49d2391fbe7f6b6cb91a3c146a4e905e536be8e3d5581f15f90248c
       ]
     }
     hero: embedded workbench panel page
     page: ess_workbench_panel
     sourceLocation: controller mounted
     timeSinceOrigin: 17539.599999785423
     transactionId: 9eb149d0-84d9-11ea-9a01-6da37c4190ff
   }
   deploymentID: 90dacf53-e620-5a99-8cd4-15225d4fafc3
   eventID: 19c90580-816d-2dc5-13a8-5af783596253
   experienceID: 6aa4e746-c8f0-234b-35b2-dff0e1b2fbab
   optInRequired: 3
   timestamp: 1587588081
   userID: 953b11dd9ec6593a941245c43738a191110c7e42f8e81b75fd6a18452a2755bb
   version: 3
   visibility: anonymous,support
}
app.SplunkEnterpriseSecuritySuite.splunk_apps Reports what apps are installed along with Splunk Enterprise Security 
{ [-]
   app: SplunkEnterpriseSecuritySuite
   component: app.SplunkEnterpriseSecuritySuite.splunk_apps
   data: { [-]
     app_label: Splunk Add-on for UEBA
     app_name: Splunk_TA_ueba
     version: 3.1.0
   }
   deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
   eventID: 74F06225-D7EA-4EA8-B097-847679513164
   executionID: 9614FCEF-ACD0-42D7-9B26-3FAFC7DF28E9
   optInRequired: 3
   timestamp: 1662701117
   type: event
   userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
   visibility: [ [+]
   ]
app.session.rum.measure Reports performance metrics around API calls. 
{ [-]
   component: app.session.rum.mark
   data: { [-]
     app: SplunkEnterpriseSecuritySuite
     context: { [-]
     }
     hero: data/transforms/managed_lookups
     page: ess_content_management_new
     sourceLocation: { [-]
       size: 234962 bytes
       status: 200
       success: true
     }
     timeSinceOrigin: 13765.400000035763
     transactionId: 9db527a0-f349-11ec-ba71-d51f5aafc42d
   }
   deploymentID: 9aa97b42-ff6d-5381-b1d3-a80ad934fbce
   eventID: cde8c736-b7f9-0c84-8d34-0d8d3f99bf3e
   experienceID: d0a6bfc4-4c5e-00f0-a302-b9a38ae05590
   optInRequired: 3
   splunkVersion: 8.2.2201
   timestamp: 1656025808
   userID: 923d6d128a7f8bfbb1950cc0be471b9251b0209477ad236e91f31debddd99699
   version: 4
   visibility: anonymous,support
}
Last modified on 31 October, 2023
PREVIOUS
About Splunk Enterprise Security 		  NEXT
Performance reference for Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.0, 7.3.1

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters