Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Add raw events from the Splunk platform to Splunk UBA

You can add data that is not CIM-compliant and is from a supported data source type. View supported data source types on the Data Format page in the Edit Data Source Types window. Consider mapping the data to the appropriate CIM data model and use the method described in Add CIM-compliant data to Splunk UBA from the Splunk platform to add the data.

You can add data from multiple time zones using this method. By default, the connector.splunk.use.time property is set to true to allow data from multiple time zones. For more information about time zones and events in the Splunk platform, see Specify time zones for timestamps in Splunk Enterprise Getting Data In.

To add data that is not CIM-compliant or not from a supported data source type, contact Splunk Professional Services.

Add data from one source type in the Splunk platform to Splunk UBA

  1. In Splunk UBA, select Manage > Data Sources.
  2. Click New Data Source.
  3. Select Splunk as the data source type and click Next.
  4. Specify a name for the data source, such as Splunk. The data source name must be alphanumeric, with no spaces or special characters.
  5. Type a connection URL that matches the URL for your Splunk platform or Enterprise Security search head and management port. For example, TCP port 8089.
  6. Type the user name and password for the Splunk platform account.
  7. Select a Connector Type of Splunk Raw Events and click Next.
  8. Select a time range.
    • To continuously retrieve data using time-based micro batch queries, select Live and All time. See How data gets into Splunk UBA.
    • To retrieve for a specific time window, select Live and Time Window and specify a time period. For example, specify 8h 30s to retrieve data for the past 8 hours and 30 seconds. This is a one-time search and is performed when the data source is added to Splunk UBA. Micro-batch queries are not used for this search.
    • To add historical data from the Splunk platform, select Date Range and select a calendar date range. Only events within the specified calendar window are retrieved. This is a one-time search and is performed when the data source is added to Splunk UBA. Micro-batch queries are not used for this search.
  9. Click Next.
  10. Click Source Types to view the source types from your Splunk platform data.
    Splunk UBA will try to form a connection with the Splunk platform and find source types across all default indexes. If no source types appear, you may have a firewall rule preventing you from being able to query the Splunk platform. You must be able to connect to the Splunk platform and see at least one data source type before you continue.
  11. Select one data source type and click Next.
  12. Select Single Format.
  13. Select the format from the drop-down list of formats.
  14. Click Next.
  15. To add the data source in test mode, leave the check box selected. See Add data sources to Splunk UBA in test mode.
  16. Click OK.

Add data from multiple source types in the Splunk platform to Splunk UBA

Follow this procedure to add multiple data source types from the Splunk platform to Splunk UBA:

  1. In Splunk UBA, select Manage > Data Sources.
  2. Click New Data Source.
  3. Select Splunk as the data source type and click Next.
  4. Specify a name for the data source, such as Splunk. The data source name must be alphanumeric, with no spaces or special characters.
  5. Type a connection URL that matches the URL for your Splunk platform or Enterprise Security search head and management port. For example, TCP port 8089.
  6. Type the user name and password for the Splunk platform account.
  7. Select a Connector Type of Splunk Raw Events and click Next.
  8. Select a time range.
    • To continuously retrieve data using time-based micro batch queries, select Live and All time. See How data gets into Splunk UBA.
    • To retrieve for a specific time window, select Live and Time Window and specify a time period. For example, specify 8h 30s to retrieve data for the past 8 hours and 30 seconds. This is a one-time search and is performed when the data source is added to Splunk UBA. Micro-batch queries are not used for this search.
    • To add historical data from the Splunk platform, select Date Range and select a calendar date range. Only events within the specified calendar window are retrieved. This is a one-time search and is performed when the data source is added to Splunk UBA. Micro-batch queries are not used for this search.
  9. Click Next.
  10. Click Source Types to view the source types from your Splunk platform data.
    Splunk UBA will try to form a connection with the Splunk platform and find source types across all default indexes. If no source types appear, you may have a firewall rule preventing you from being able to query the Splunk platform. You must be able to connect to the Splunk platform and see at least one data source type before you continue.
  11. Select one data source type and click Next.
  12. Select Multiple Formats.
  13. Click Edit Splunk Types Mapping.
  14. Review the list of existing mappings for the data source types you want to add.
    If your data source type is not listed, click Add Mapping and type the Splunk source type in the Splunk Type text box.

    Do not remove any of the existing mappings, as they may be used by other data sources in your system.

  15. Select the UBA Format that matches each data source type from the drop-down list of formats. Specify the Splunk Type in all capital letters.
  16. Click OK to save the data source type mapping.
  17. Click Next.
  18. To add the data source in test mode, leave the check box selected. See Add data sources to Splunk UBA in test mode.
  19. Click OK.
Last modified on 20 March, 2020
PREVIOUS
Add CIM-compliant data from the Splunk platform to Splunk UBA
  NEXT
Add custom data to Splunk UBA using the generic data source

This documentation applies to the following versions of Splunk® User Behavior Analytics: 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters