Accelerate data models to build InfoSec app for Splunk dashboards
Accelerate data models after you confirm that the correct event data is fed into the data models that are required for the Splunk InfoSec app. You must accelerate each of the data models.
You can only accelerate the data models after you confirm that they are fed with the correct event data because after acceleration, the data models cannot be edited without first disabling the acceleration.
Accelerate a data model
Perform the following steps on all the data models that are fed event data. This example uses the Authentication data model, but you can follow these steps to accelerate any data model.
Don't accelerate a data model that contains no event data.
- On the Splunk Platform menu bar, select Configure > Settings > Data models.
- Identify the Authentication data model.
Do not click on the '''Authentication''' data model because you must work within the current web page.
- From the Actions column, select Edit > Edit Acceleration.
- In the Edit Acceleration dialog box, perform the following actions:
- Check Accelerate.
- Set the Summary Range to a suitable time frame.
- Click Save.
- View each of the InfoSec app dashboards from the menu bar starting with Security Posture.
- Confirm that all the dashboards are populating with data. If you find a dashboard that is not populating, you might not have the required data source within your Splunk platform to feed the dashboard. For more information on troubleshooting, see Troubleshoot the Splunk InfoSec app.
Validate data sources that feed the InfoSec app for Splunk data models | Extend the capabilities of the InfoSec app for Splunk |
This documentation applies to the following versions of Splunk® InfoSec App: 1.6.4, 1.7.0
Feedback submitted, thanks!