Create a new data cube
Create a new data cube to use with a new custom rare events or time series model. If you cloning an existing model, the new model uses the same cube as the original model. You can't select a new cube when cloning an existing model.
You can create a maximum of four custom cubes in Splunk UBA, and each cube can have a maximum of six dimensions and three measures.
Perform the following tasks to create a new cube.
- In Splunk UBA, select System > Cubes.
- Click New Cube.
- Define the cube properties.
- Configure the cube attributes.
- Configure the aggregation filter.
- Click OK.
Saving a custom cube can take up to 10 minutes, depending on the configuration of the cube.
Define the cube properties
Define the cube properties.
- Provide a name, description, and version number. The version number must be an integer.
- Configure a retention interval. By default, data cubes retain 30 days worth of data.
- Configure the data aggregation interval. By default, data cubes collect data every 24 hours (1 day).
- Select the view type from the drop-down list in the View Type field to filter events based on the selected view. See Examine existing cubes to get more information about Splunk UBA data views for more information about Splunk UBA views and cubes. Select Null if you know that the attributes you want to track do not belong to a view.
- Click Next.
Configure the cube attributes
Configure the data and format of the data you want to store in the cube.
The following attributes are required, depending on the purpose for which you are creating the new cube:
- If you are creating a cube to use with a new rare events model, the
userId
is required to track the user ID in each event. Use view.*.user.uuid as the attribute key. - If you are creating a cube to use with a new time series model, you can choose to track either the user ID or device ID. You must track one of them:
- Use view.*.user.uuid as the attribute key for the user ID.
- Use view.*.device.uuid as the attribute key for the device ID.
Perform the following tasks to configure the cube attributes:
- Provide a name and description for each attribute. The name must be alphanumeric containing at least one letter, no special characters other than underscore (_), and no white spaces.
- Specify whether the attribute is a dimension or measure. See Example cube and descriptions for more information about dimensions and measures.
- Specify the data type of the attribute. For example, if you are tracking a user ID, choose
STRING
as the appropriate data type.Attributes with type
BYTES
must be placed at the end of the cube. - Specify the attribute key. See Examine existing cubes to get more information about Splunk UBA data views for information about how to find view attributes and attribute keys.
- Specify the function of the attribute, either dimension or measure.
- If the attribute is a dimension, this value must be
None
. - If the attribute is a measure, select one of the following:
Value Description COUNT
Increment the count by 1 each time the value is not empty or null. COUNT_TRUE
Increment the count by 1 each time a boolean value is TRUE. SUM
Compute the sum of the attribute's value.
- If the attribute is a dimension, this value must be
- Verify that this is the order you want to the attributes to be in. If there is more than one attribute, you can change the order by disabling the Preserve Order toggle and dragging the attributes to the desired arrangement. Changing the attribute order is not allowed once the cube is created.
- Click Next.
The attribute tables created in the Splunk UBA web interface are stored in the Impala data tables. Do not delete or edit the tables using the CLI. Edit the data cube using the Splunk UBA web interface if you need to make changes.
Configure the aggregation filter
Filter the data you want to store in the cube to make sure that only proper events are stored. For example, suppose you have a cube that is tracking attributes from Windows security events for a specific use case. In some cases, an event may be missing an event ID. This event should not be stored in the cube as the lack of an event ID means the event would not be useful later on when parsed by a model. Enter a filter such as the following to make sure that events without an event ID are not stored:
eventId != null
Multiple filters are processed using a logical AND relationship among the filters.
Understanding Splunk UBA data cubes | View, edit, delete, or restore a data cube |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0
Feedback submitted, thanks!