Review and edit existing data sources in Splunk UBA
Review the data sources to make sure that data ingestion is proceeding as expected.
View job execution times in Splunk Enterprise
Splunk UBA performs micro-batched searches in one-minute intervals against Splunk Enterprise to pull in events. Review the search job execution times to make sure that they are not exceeding one minute.
- In Splunk Enterprise, select Activity > Jobs to open the Jobs page.
- Filter the jobs by searching for the usernames of the Splunk UBA data sources.
- Examine the value in the Runtime column to make sure that the job is taking less than one minute to execute.
- Use the Search job inspector to drill down and view more information if needed.
See About jobs and job management in the Splunk Enterprise Search Manual for more information about the Jobs page and using the Search job inspector to view detailed information about a job.
Review data sources in Splunk UBA
Select Manage > Data Sources to view existing data sources and the number of events added from each data source. Key indicators reveal statistics about your data. Click a key indicator to see more detail. Review the name, type, format, status, number of events, and the date added for each data source.
Data sources in Splunk UBA can have the following statuses:
|Status||What the status means about the data source|
|Processing||Data sources begin with this status when you create them in Splunk UBA.|
|Complete||File-based data sources, batch jobs, and scheduled jobs have this status when data ingestion is complete.|
|Stopped||Data sources have this status in the following situations:
|Failed||Data sources have this status when JobManager detects any errors, such as Splunk server connectivity issues, or a data source cannot be created. The job is marked as Failed with an error message displayed in Splunk UBA.|
|Scheduled||Scheduled jobs, such as Human Resources (HR) data or Threat Intel, have this status before they are run.|
Live data sources can only be in Processing, Stopped, or Failed state.
Edit data sources in Splunk UBA
You can edit an existing data source in Splunk UBA. For example, you can change the name of a data source or update its connection information, time range, or SPL. A data source can be edited regardless of its status.
Perform the following steps to edit a data source:
- Click on the data source you want to edit. You can review detailed information about the data source such as its URL, time range, and SPL. This can help you verify the information you need to update.
- Click Edit.
- Make the desired changes and navigate through the Edit Data Source wizard until you reach the end.
- Click OK.
Changes to a data source are not picked up by Splunk UBA until the data source is restarted.
- If the data source is currently running, click Stop to stop the data source, then click Start to restart it.
- If the data source is currently not running, click Start to start the data source.
Monitor the quality of data sent from the Splunk platform
Validate data availability
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 184.108.40.206, 5.0.5, 220.127.116.11, 5.1.0, 18.104.22.168, 5.2.0
Feedback submitted, thanks!