Add file-based data sources to Splunk UBA
Add new file-based data sources to Splunk UBA. You can use file-based data sources for testing on a small scale.
- In Splunk UBA, select Manage > Data Sources.
- Click New Data Source.
- Select the type of data source you want to add.
- Click Next.
- Enter a Name to identify the data source in Splunk UBA.
- Upload the file.
- Click OK.
Because file-based data sources represent static data, you can write a script to create new files periodically, and then load this data into Splunk UBA.
When ingesting file-based events, Splunk UBA extracts the timestamp from events. In most cases, file-based events do not have a time zone associated with the events, so Splunk UBA uses UTC as the default time zone. If you do not want to use UTC as the time zone, perform the following tasks:
- Log in to the management node of your Splunk UBA deployment as the caspida user.
- Edit the
/etc/caspida/local/conf/uba-site.propertiesfile and add the
parser.global.input_timezoneproperty. For example, to set the property to Pacific Standard Time (Los Angeles):
- Synchronize the cluster if you have a distributed deployment:
/opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf
- Stop and start The Splunk UBA containers:
/opt/caspida/bin/Caspida stop-containers /opt/caspida/bin/Caspida start-containers
Get data into Splunk UBA
Add data sources to Splunk UBA in test mode
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 184.108.40.206, 5.0.5, 220.127.116.11, 5.1.0, 18.104.22.168