Splunk® Security Essentials

Use Splunk Security Essentials

This documentation does not apply to the most recent version of Splunk® Security Essentials. For documentation on the most recent version, go to the latest release.

Configure the products you have in your environment with the Data Inventory dashboard

Use the Data Inventory dashboard to configure the products you have in your environment. Products have a variety of metadata such as sourcetypes, event volume, and Common Information Model (CIM) compliance and are connected with data source categories. Because of this, the Data Inventory dashboard can show you what content can be turned on with your current data. To use the Data Inventory dashboard, follow these steps:

  1. In Splunk Security Essentials, navigate to Data > Data Inventory.
  2. From the pop-up window, select how you want to get your data into this dashboard.
    1. If Splunk Security Essentials is installed on your production search head, click Launch Automated Introspection to automatically import data.
    2. Click Manually Configure to manually enter your data.

Introspection lets Splunk Security Essentials see what data you have available to use across the app.

  1. If you chose Automated Introspection, click Automated Introspection to see the five automated introspection steps that will pull in a variety of data.
  2. If any of your sources or source types don't appear correctly, click Update in the Actions column to make changes.
  3. Once your data appears in the menu, if there is an X or a question mark (?) beside a datasource in the menu, manually review the datasource to see whether or not you have that type of data in your environment.

When reviewing your sources, you can view the Products for this Data Source Category table. This table includes the following information:

Name Description
i Expand the arrow to see information on the number of hosts, average event size, typical events per day, CIM coverage, and TERM search.
Vendor The company that sells the product.
Product The name of the product.
Status Describes whether or not there is data present in this product.
Coverage Use this field to track how much of the data is in Splunk.
Base Search The search string that can be used to detect the data source. If this has already been detected, it is automatically saved here.
Actions Use the buttons to Update or Delete a product.

See an overview of your data inventory

If you want to see an overview of information about your data inventory, use the Data Inventory Overview dashboard. To see that dashboard in Splunk Security Essentials, navigate to Data > Data Inventory Overview. The Data Inventory Overview dashboard displays this information:

  • Data Sources Observed: The number of data sources you are currently observing in your data inventory.
  • Data Source Categories with Data Observed: The number of data-source categories you are observing. Those categories must contain data. If a data-source category doesn't contain data, that category won't be counted.
  • Products with Data Observed: The number of products you are observing. Those products must contain data. If a product doesn't contain data, that product won't be counted.
  • Products by Data Source: A table that displays the products you are observing and their related data sources. The table is color coded so you can easily identify products at a glance.

Troubleshoot Data Inventory Introspection

If you are experiencing issues with data inventory introspection, it might be helpful to reset and run the configuration. Most of the issues that have been seen with Data Introspection resolve after resetting and running the configuration.

Prerequisites

Use Splunk Security Essentials 3.0.3 or above.

Solution

Use the following troubleshooting steps to reset the Splunk Security Essentials system:

  1. From the Splunk Security Essentials app, refresh the Data Inventory page.
  2. Open the status dialog.
  3. Click Reset Configurations.
  4. When the prompt appears, click Run Data Introspection. If the prompt doesn't appear, repeat steps 2 and 3.
  5. Review all Review configurations and define what product they belong to.
Last modified on 01 July, 2022
Check if your data is CIM-compliant with the Common Information Model Compliance Check dashboard   Track active content in Splunk Security Essentials using Content Introspection

This documentation applies to the following versions of Splunk® Security Essentials: 3.6.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters