Splunk® Mission Control

Get Data into Splunk Mission Control

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Set up getting data into Splunk Mission Control from Splunk Enterprise Security

Decide what data you want to send to Splunk Mission Control and set up the necessary configurations to send that data to Splunk Mission Control. Send data from Splunk Enterprise Security to Splunk Mission Control so that you can triage and investigate notable events in Splunk Mission Control, as well as review and manage content in Splunk Mission Control.

This is step 5 of 5 to send data from Splunk Enterprise Security to Splunk Mission Control. See all steps: Get data into Splunk Mission Control from Splunk Enterprise Security.

Splunk Connect for Mission Control includes several saved searches to send data to Splunk Mission Control. You can send the following types of data:

  • Notable events and sequenced notable events. Asset and identity resolution is performed for notable events to gather relevant artifacts.
  • Risk events from the risk index.
  • Knowledge objects visible on Content Management in Splunk Enterprise Security, such as correlation searches, search-driven lookups, swimlane searches, and others.

Splunk Mission Control limits the number of notables that you can send to 1000 notables per hour. If you might reach that limit, see Cause: you are sending more than 1000 notables per hour total to Splunk Mission Control.

These searches are disabled by default when you install Splunk Connect for Mission Control. All searches run every 2 minutes over the last 2 minutes of data. Follow the steps in this topic to determine which searches to enable to get data into Splunk Mission Control.

Don't add the Splunk Mission Control Trigger Actions "Send Notable Events To Mission Control," "Send Risk Events To Mission Control," and "Send Content Management data to Mission Control," to Splunk Enterprise Security saved searches or correlation searches. These actions are specific to Splunk Mission Control, and if these actions are added to Splunk Enterprise Security saved searches or correlation searches, raw events are sent to Splunk Mission Control and result in errors.

Get notable events into Splunk Mission Control

To send notable events and the associated artifacts from the asset and identity lookups in Splunk Enterprise Security to Splunk Mission Control, enable the relevant searches.

If you want to send a different combination of notable events and artifacts to Splunk Mission Control, see Customize getting data into Splunk Mission Control from Splunk Enterprise Security.

  1. In Splunk Web, click Settings.
  2. Click Searches, Reports, and Alerts.
  3. Change the selection for the App filter to Splunk Connect for Mission Control.
  4. Locate the Mission Control - Forward Sequenced Notable Events - Ingestion search and click Edit > Enable.
  5. Locate the Mission Control - Forward Notable Events - Ingestion search and click Edit > Enable.
  6. Locate the Mission Control - Retry Unacknowledged Events - Ingestion search and click Edit > Enable. This search is used to make sure no notable event data is lost when sending data to Splunk Mission Control.
  7. Locate the Mission Control - Event Ack Lookup Retention - Ingestion search and click Edit > Enable. This search is used to manage the KV Store collection that stores successful event acknowledgement, removing entries that are older than 7 days.

Get risk data into Splunk Mission Control

Enable the search to send risk events to Splunk Mission Control so that artifacts include risk score data:

  1. In Splunk Web, click Settings.
  2. Click Searches, Reports, and Alerts.
  3. Change the selection for the App filter to Splunk Connect for Mission Control.
  4. Locate the Mission Control - Forward Risk Events - Ingestion search and click Edit > Enable.

Get Content Management data into Splunk Mission Control

After you set up Splunk Connect for Mission Control, enable the search to send Content Management data to Splunk Mission Control:

  1. In Splunk Web, click Settings.
  2. Click Searches, Reports, and Alerts.
  3. Change the selection for the App filter to Splunk Connect for Mission Control.
  4. Locate the Mission Control - Forward Content Management Data - Ingestion search and click Edit > Enable.

Verify that data successfully appears in Splunk Mission Control

Review various parts of Splunk Mission Control to confirm that data that you send from Splunk Enterprise Security appears successfully.

  1. Open Splunk Mission Control and click Investigations to view the analyst queue to confirm that notable events and sequenced notable events appear as notables.
  2. Click a notable in Splunk Mission Control and review the Details on the Overview tab to confirm that the data in the notable event was correctly processed.
  3. Click the Analytics tab to review the artifacts associated with the notable. You can also review the risk scores for relevant artifacts from this tab.
  4. Click Content to view the content from Splunk Enterprise Security in Splunk Mission Control. See Manage content in Splunk Mission Control.

If you don't see some data that you are sending to Splunk Mission Control, see Troubleshoot why data is not getting into Splunk Mission Control from Splunk Enterprise Security.

Last modified on 23 September, 2021
PREVIOUS
Set up certificates to secure getting data into Splunk Mission Control from Splunk Enterprise Security
  NEXT
Customize getting data into Splunk Mission Control from Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Mission Control: Current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters