Splunk® User Behavior Analytics

Develop Custom Content in Splunk User Behavior Analytics

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics. For documentation on the most recent version, go to the latest release.

Create a new data cube

Create a new data cube to use with a new custom rare events or time series model. If you cloning an existing model, the new model uses the same cube as the original model. You can't select a new cube when cloning an existing model.

You can create a maximum of four custom cubes in Splunk UBA, and each cube can have a maximum of six dimensions and three measures.

Perform the following tasks to create a new cube.

  1. In Splunk UBA, select System > Cubes.
  2. Click New Cube.
  3. Define the cube properties.
  4. Configure the cube attributes.
  5. Configure the aggregation filter.
  6. Click OK.

Saving a custom cube can take up to 10 minutes, depending on the configuration of the cube.

Define the cube properties

Define the cube properties.

  1. Provide a name, description, and version number. The version number must be an integer.
  2. Configure a retention interval. By default, data cubes retain 30 days worth of data.
  3. Configure the data aggregation interval. By default, data cubes collect data every 24 hours (1 day).
  4. Select the view type from the drop-down list in the View Type field to filter events based on the selected view. See Examine existing cubes to get more information about Splunk UBA data views for more information about Splunk UBA views and cubes. Select Null if you know that the attributes you want to track do not belong to a view.
  5. Click Next.

Configure the cube attributes

Configure the data and format of the data you want to store in the cube.

The following attributes are required, depending on the purpose for which you are creating the new cube:

  • If you are creating a cube to use with a new rare events model, the userId is required to track the user ID in each event. Use view.*.user.uuid as the attribute key.
  • If you are creating a cube to use with a new time series model, you can choose to track either the user ID or device ID. You must track one of them:
    • Use view.*.user.uuid as the attribute key for the user ID.
    • Use view.*.device.uuid as the attribute key for the device ID.

Perform the following tasks to configure the cube attributes:

  1. Provide a name and description for each attribute. The name must be alphanumeric containing at least one letter, no special characters other than underscore (_), and no white spaces.
  2. Specify whether the attribute is a dimension or measure. See Example cube and descriptions for more information about dimensions and measures.
  3. Specify the data type of the attribute. For example, if you are tracking a user ID, choose STRING as the appropriate data type.

    Attributes with type BYTES must be placed at the end of the cube.

  4. Specify the attribute key. See Examine existing cubes to get more information about Splunk UBA data views for information about how to find view attributes and attribute keys.
  5. Specify the function of the attribute, either dimension or measure.
    • If the attribute is a dimension, this value must be None.
    • If the attribute is a measure, select one of the following:
      Value Description
      COUNT Increment the count by 1 each time the value is not empty or null.
      COUNT_TRUE Increment the count by 1 each time a boolean value is TRUE.
      SUM Compute the sum of the attribute's value.
  6. Verify that this is the order you want to the attributes to be in. If there is more than one attribute, you can change the order by disabling the Preserve Order toggle and dragging the attributes to the desired arrangement. Changing the attribute order is not allowed once the cube is created.
  7. Click Next.

The attribute tables created in the Splunk UBA web interface are stored in the Impala data tables. Do not delete or edit the tables using the CLI. Edit the data cube using the Splunk UBA web interface if you need to make changes.

Configure the aggregation filter

Filter the data you want to store in the cube to make sure that only proper events are stored. For example, suppose you have a cube that is tracking attributes from Windows security events for a specific use case. In some cases, an event may be missing an event ID. This event should not be stored in the cube as the lack of an event ID means the event would not be useful later on when parsed by a model. Enter a filter such as the following to make sure that events without an event ID are not stored: 

eventId != null

Multiple filters are processed using a logical AND relationship among the filters.

Last modified on 05 February, 2020
Understanding Splunk UBA data cubes   View, edit, delete, or restore a data cube

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters