Obtain a Splunk license for ingesting Splunk UBA logs
Splunk UBA logs sent to Splunk Enterprise have a sourcetype of uba:*.
A new Splunk license allows Splunk UBA logs to be ingested free of charge, up to 150GB per day. You can specify a new custom index to use instead of potentially overloading the default _internal index. Once the Splunk UBA logs are ingested by Splunk Enterprise, they can be used by the Splunk UBA Monitoring App. See About the Splunk UBA Monitoring app in the Splunk UBA Monitoring App manual.
Perform the following tasks to request and obtain the license:
- Begin by Contacting Splunk Support to request the new license. Specify the following:
- Product: Splunk Enterprise
- Area: Entitlement & Licensing
- Feature: Licensing
- Subject: Splunk Enterprise license for ingesting Splunk_UBA_logs
- Description: Requesting license on Splunk Enterprise to ingest Splunk UBA Logs.
- Install the license on Splunk Enterprise. See Install a license in the Splunk Enterprise Installation manual.
- See Send Splunk UBA logs to a custom index on Splunk Enterprise.
Last modified on 26 October, 2020
| License Splunk UBA | Request and add a new certificate to Splunk UBA to access the Splunk UBA web interface |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Download manual
Feedback submitted, thanks!