Configure the products you have in your environment with the Data Inventory dashboard
Use the Data Inventory dashboard to configure the products you have in your environment. Products have a variety of metadata such as sourcetypes, event volume, and Common Information Model (CIM) compliance and are connected with data source categories. Because of this, the Data Inventory dashboard can show you what content can be turned on with your current data. To use the Data Inventory dashboard, follow these steps:
- In Splunk Security Essentials, navigate to Data > Data Inventory.
- From the pop-up window, select how you want to get your data into this dashboard.
- If Splunk Security Essentials is installed on your production search head, click Launch Automated Introspection to automatically import data.
- Click Manually Configure to manually enter your data.
Introspection lets Splunk Security Essentials see what data you have available to use across the app.
- If you chose Automated Introspection, click Automated Introspection to see the five automated introspection steps that will pull in a variety of data.
- If any of your sources or source types don't appear correctly, click Update in the Actions column to make changes.
- Once your data appears in the menu, if there is an X or a question mark (?) beside a datasource in the menu, manually review the datasource to see whether or not you have that type of data in your environment.
When reviewing your sources, you can view the Products for this Data Source Category table. This table includes the following information:
| Name | Description |
|---|---|
| i | Expand the arrow to see information on the number of hosts, average event size, typical events per day, CIM coverage, and TERM search. |
| Vendor | The company that sells the product. |
| Product | The name of the product. |
| Status | Describes whether or not there is data present in this product. |
| Coverage | Use this field to track how much of the data is in Splunk. |
| Base Search | The search string that can be used to detect the data source. If this has already been detected, it is automatically saved here. |
| Actions | Use the buttons to Update or Delete a product. |
Troubleshoot Data Inventory Introspection
If you are experiencing issues with data inventory introspection, it might be helpful to reset and run the configuration. Most of the issues that have been seen with Data Introspection resolve after resetting and running the configuration.
Prerequisites
Use Splunk Security Essentials 3.0.3 or above.
Solution
Use the following troubleshooting steps to reset the Splunk Security Essentials system:
- From the Splunk Security Essentials app, refresh the Data Inventory page.
- Open the status dialog.
- Click Reset Configurations.
- When the prompt appears, click Run Data Introspection. If the prompt doesn't appear, repeat steps 2 and 3.
- Review all Review configurations and define what product they belong to.
| Check if your data is CIM-compliant with the Common Information Model Compliance Check dashboard | Track active content in Splunk Security Essentials using Content Introspection |
This documentation applies to the following versions of Splunk® Security Essentials: 3.3.3, 3.3.4, 3.4.0, 3.5.0, 3.5.1
Download manual
Feedback submitted, thanks!