Validate data availability
After data is loaded into Splunk UBA, use the Data Availability page to validate or troubleshoot your data ingestion and identify missing data sources that enable Splunk UBA use cases, such as an expected anomaly not being triggered. Data availability shows the relationships and mappings among the following areas in Splunk UBA:
- Anomaly types
- Anomaly categories
- Threat types
- Data Views
- Data Sources
To access the Data Availability page, select System > Data Availability in Splunk UBA.
Click on a content type in the Data Available section, which is at the top of the left column. In this example, the Unusual Machine Access anomaly is selected, and the page shows the data sources and threat model used to generate this anomaly. The box containing the anomaly name has a dark blue background indicating that all expected data sources are accounted for and the use case is operational.
If Splunk UBA detects that not all data sources are available, the anomaly appears in the Partial Data Available section in the left column.
In this example, the Blacklisted Entity Model takes data to generate Blacklisted Domain anomalies. Two data sources are already providing HTTP data to the model. However, the model also expects a DNS data source which is not present. The light gray DNS in the Models box indicates that the data source is missing or incomplete, and the box containing the anomaly name is light blue instead of a darker shade of blue.
If no data is available, the anomaly appears in the No Data Available section. The box containing the anomaly name has no color, indicating that none of the expected data sources are present.
Review and edit existing data sources in Splunk UBA
This documentation applies to the following versions of Splunk® User Behavior Analytics: 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 184.108.40.206