Configure the products you have in your environment with the Data Inventory dashboard
Use the Data Inventory dashboard to configure the products you have in your environment. Products have a variety of metadata such as sourcetypes, event volume, and Common Information Model (CIM) compliance and are connected with data source categories. Because of this, the Data Inventory dashboard can show you what content can be turned on with your current data. To use the Data Inventory dashboard, follow these steps:
- In Splunk Security Essentials, navigate to Data > Data Inventory.
- From the pop-up window, select how you want to get your data into this dashboard.
- If Splunk Security Essentials is installed on your production search head, click Launch Automated Introspection to automatically import data.
- Click Manually Configure to manually enter your data.
Introspection lets Splunk Security Essentials see what data you have available to use across the app.
- If you chose Automated Introspection, click Automated Introspection to see the five automated introspection steps that will pull in a variety of data.
- If any of your sources or source types don't appear correctly, click Update in the Actions column to make changes.
- Once your data appears in the menu, if there is an X or a question mark (?) beside a datasource in the menu, manually review the datasource to see whether or not you have that type of data in your environment.
When reviewing your sources, you can view the Products for this Data Source Category table. This table includes the following information:
Name | Description |
---|---|
i | Expand the arrow to see information on the number of hosts, average event size, typical events per day, CIM coverage, and TERM search. |
Vendor | The company that sells the product. |
Product | The name of the product. |
Status | Describes whether or not there is data present in this product. |
Coverage | Use this field to track how much of the data is in Splunk. |
Base Search | The search string that can be used to detect the data source. If this has already been detected, it is automatically saved here. |
Actions | Use the buttons to Update or Delete a product. |
Select Add Products to add products to this table if automated introspection found products for the data type. If no products are found, a message will appear and you can select Add Products to manually add products, or select Dismiss, No Data Present if you have no data of this type.
See an overview of your data inventory
If you want to see an overview of information about your data inventory, use the Data Inventory Overview dashboard. To see that dashboard in Splunk Security Essentials, navigate to Data > Data Inventory Overview. The Data Inventory Overview dashboard displays this information:
- Data Sources Observed: The number of data sources you are currently observing in your data inventory.
- Data Source Categories with Data Observed: The number of data-source categories you are observing. Those categories must contain data. If a data-source category doesn't contain data, that category won't be counted.
- Products with Data Observed: The number of products you are observing. Those products must contain data. If a product doesn't contain data, that product won't be counted.
- Products by Data Source: A table that displays the products you are observing and their related data sources. The table is color coded so you can easily identify products at a glance.
Troubleshoot Data Inventory Introspection
If you are experiencing issues with data inventory introspection, it might be helpful to reset and run the configuration. Most of the issues that have been seen with Data Introspection resolve after resetting and running the configuration.
Prerequisites
Use Splunk Security Essentials version 3.0.3 or higher.
Solution
Use the following troubleshooting steps to reset the Splunk Security Essentials system:
- From the Splunk Security Essentials app, refresh the Data Inventory page.
- Open the status dialog.
- Click Reset Configurations.
- When the prompt appears, click Run Data Introspection. If the prompt doesn't appear, repeat steps 2 and 3.
- Review all Review configurations and define what product they belong to.
Check if your data is CIM-compliant with the Common Information Model Compliance Check dashboard | Track active content in Splunk Security Essentials using Content Mapping |
This documentation applies to the following versions of Splunk® Security Essentials: 3.7.1, 3.8.0, 3.8.1
Feedback submitted, thanks!